Giter Club home page Giter Club logo

cert-manager-webhook-ibmcis-1's Introduction

IBM Cloud Internet Service Webhook for Cert Manager

This is a webhook solver for IBM Cloud Internet Service.

The old repo is out of support. that's why we have the new repo.

Docker Repository on Quay

Prerequisites

#kubectl create namespace cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
 # kubectl get pods -n cert-manager

Installation

_Notice: The pod will not startup until the steps under configuration is performed (there will be a secret there is not created until the steps are taken, so do not expect it just starts until that is in place )

Assuming your installation has 1. cert-manager running in name-space cert-manager and 2. accept this webhook will be installed into namespace cert-manager-webhook-ibmcis, 3. the API groups acme.borup.work will be used, then it is recommended to install via this pre-defined file .

kubectl apply -f https://raw.githubusercontent.com/IBM/cert-manager-webhook-ibmcis/master/cert-manager-webhook-ibmcis.yaml

How cert-manager-webhook-ibmcis.yaml is created (information)

This is just to help me remember how I created the static version of the file and for you to be inspired if you want to try to run it in a different configuration, however I will warn this is not the simplest thing to make it run in a different namespace.

helm template --name-template cert-manager-webhook-ibmcis ./deploy/cert-manager-webhook-ibmcis > cert-manager-webhook-ibmcis.yaml

Customized installation

Only do the steps in this section - customized installation - if you did not do the step in installation.

helm install --name-template cert-manager-webhook-ibmcis ./deploy/cert-manager-webhook-ibmcis

Issuer

  1. (Optional but recommended) Generate a service id (ibmcloud iam service-id-create cert-manager-webhook-ibmcis-sid -d "Service id that cert-manager-webhook-ibmcis uses"), grant it "service access" level permission as reader,writer,manager to the relevant IBM Cloud Internet Service(s) only (example that grants access to specific instance of IBM Cloud Internet Services: ibmcloud iam service-policy-create cert-manager-webhook-ibmcis-sid --service-instance SERVICE_INSTANCE_GUID --roles Reader,Writer,Manager )

  2. Generate API-KEY from IBM Cloud (example: ibmcloud iam service-api-key-create cert-manager-webhook-ibmcis-sid-apikey cert-manager-webhook-ibmcis-sid -d "API key used for cert-manager-webhook-ibmcis to do the DNS01 ACME flow signed certificates")

  3. Create a namespace to run this webhook in, recommend cert-manager-webhook-ibmcis. (like kubectl create namespace cert-manager-webhook-ibmcis)

  4. Create secret to store the API Token

kubectl --namespace cert-manager-webhook-ibmcis create secret generic \
    ibmcis-credentials --from-literal=api-token='<IC_API_KEY>'
  1. Create a staging issuer Optional If you want to test and avoid rate-limit levels for production lets encryp ise this step (certificate validity is not for production though)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager-webhook-ibmcis
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging

    solvers:
    - dns01:
        webhook:
          groupName: acme.borup.work
          solverName: ibmcis
          config:
            apiKeySecretRef:
              name: ibmcis-credentials
              key: api-token
            cisCRN:
              - "crn:v1:bluemix:public:internet-svcs:global:***::"
      selector:
        dnsZones:
        - 'example.com'
  1. Create a production issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager-webhook-ibmcis
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod

    solvers:
    - dns01:
        webhook:
          groupName: acme.borup.work
          solverName: ibmcis
          config:
            apiKeySecretRef:
              name: ibmcis-credentials
              key: api-token
            cisCRN:
              - "crn:v1:bluemix:public:internet-svcs:global:***::"
      selector:
        dnsZones:
        - 'example.com'

Or you can create an ClusterIssuer as below :

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod

    solvers:
    - dns01:
        webhook:
          groupName: acme.borup.work
          solverName: ibmcis
          config:
            apiKeySecretRef:
              name: ibmcis-credentials
              key: api-token
            cisCRN:
              - "crn:v1:bluemix:public:internet-svcs:global:***::"
      selector:
        dnsZones:
        - 'example.com'

Certificate

Then create the certificate which will use this issuer : https://cert-manager.io/docs/usage/certificate/

Create an certification using Issuer as below :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: cert-manager-webhook-ibmcis
spec:
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt-staging
    kind: Issuer
  secretName: example-com-tls

Or create an certification using ClusterIssuer as below :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
spec:
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  secretName: example-com-tls

Automatically creating Certificates for Ingress resources

See this.

Development

All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.

It is essential that you configure and run the test suite when creating a DNS01 webhook.

A Go test file for this provider is provided in main_test.go, and has been used for tests (via docker see below section).

Before you can run the test suite, you need to download the test binaries:

mkdir -p __main__/hack
wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-linux-amd64.tar.gz | tar xz --strip-components=1 -C __main__/hack

Then modify testdata/ibmcis/config.json to setup the configs.

Now you can run the test suite with:

TEST_ZONE_NAME=example.com. go test .

Test via Docker (Mac test binaries not described in above section)

#CRN to be used in config.json as cisCRN
#ic resource service-instance borup.work-is -g default --output json | jq .[0].crn
ibmcloud resource service-instance <CIS INSTANCE NAME> -g <RESOURCE GROUP> --output json | jq .[0].crn 
docker run -it -v${PWD}:/workspace -w /workspace  --env-file .env golang:1.17 /bin/bash
apt update
apt upgrade -y
apt-get install -y bzr 
#TEST_ZONE_NAME=example.com. go test .
cat > testdata/ibmcis/config.json <<EOF
{
    "cisCRN": [ "crn:v1:bluemix:public:internet-svcs:global:xxxxxxxx::" ]
}
EOF

#export IC_API_KEY=xxxxx

TEST_ZONE_NAME=example.com. go test .

cert-manager-webhook-ibmcis-1's People

Contributors

cgroschupp avatar diaphteiros avatar hughhuangzh avatar jb-dk avatar johnwalicki avatar munnerz avatar stevemar avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.