Skip to content

mmmake-gmbh/cert-manager-webhook-project-pinto

Repository files navigation

Cert Manager Webhook for Pinto DNS

//TODO replace URLs
Cert Manager Webhook for Pinto DNS is a ACME webhook for cert-manager allowing users to use Pinto DNS for DNS01 challenge.

Getting started

Prerequisites

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.yaml

Installing

Once everything is set up, you can now install the Pinto Webhook:

  • Clone this repository:
git clone https://github.com/camaoag/cert-manager-webhook-project-pinto.git
  • Run:
helm install pinto-webhook deploy/pinto-webhook
  • Alternatively, you can install the webhook with default credentials with:
helm install pinto-webhook deploy/pinto-webhook --set secret.accessKey=<YOUR-ACCESS-KEY> --set secret.secretKey=<YOUR-SECRET_KEY>

The Pinto Webhook is now installed!

How to use it

Note: It uses the cert-manager webhook system. Everything after the issuer is configured is just cert-manager. You can find out more in their documentation.

Now that the webhook is installed, here is how to use it. Let's say you need a certificate for example.com (should be registered in Pinto DNS).

First step is to create a secret containing the Pinto Access and Secret keys. Create the pinto-secret.yaml file with the following content: (Only needed if you don't have default credentials as seen above).

apiVersion: v1
stringData:
  PINTO_OAUTH_CLIENT_ID: <YOUR-pinto-ACCESS-KEY>
  PINTO_OAUTH_CLIENT_SECRET: <YOUR-pinto-SECRET-KEY>
kind: Secret
metadata:
  name: pinto-secret
type: Opaque

And run:

kubectl create -f pinto-secret.yaml

Next step is to create a cert-manager Issuer. Create a issuer.yaml file with the following content:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-pinto-issuer
spec:
  acme:
    email: [email protected]
    # this is the acme staging URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # for production use this URL instead
    # server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: my-pinto-private-key-secret
    solvers:
    - dns01:
        webhook:
          groupName: acme.pinto.com
          solverName: pinto
          config:
            # Only needed if you don't have default credentials as seen above.
            accessKeySecretRef:
              key: PINTO_OAUTH_CLIENT_ID
              name: pinto-secret
            secretKeySecretRef:
              key: PINTO_OAUTH_CLIENT_SECRET
              name: pinto-secret
            # optional ->
            pintoProvider: "digitalocean"
            pintoApiUrl: "https://pinto.irgendwo.co"
            oauthTokenUrl: "https://auth.pinto.irgendwo.co/connect/token"

And run:

kubectl create -f issuer.yaml

Finally, you can now create the Certificate object for example.com. Create a certificate.yaml file with the following content:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
spec:
  dnsNames:
  - example.com
  issuerRef:
    name: my-pinto-issuer
  secretName: example-com-tls

And run:

kubectl create -f certificate.yaml

After some seconds, you should see the certificate as ready:

$ kubectl get certificate example-com
NAME          READY   SECRET            AGE
example-com   True    example-com-tls   1m12s

Your certificate is now available in the example-com-tls secret!

Integration testing

Before running the test, you need:

  • A valid domain on Pinto DNS (here example.com)
  • The variables PINTO_OAUTH_CLIENT_ID and PINTO_OAUTH_CLIENT_SECRET valid and in the environment

In order to run the integration tests, run:

TEST_ZONE_NAME=example.com make test