//TODO replace URLs
Cert Manager Webhook for Pinto DNS is a ACME webhook for cert-manager allowing users to use Pinto DNS for DNS01 challenge.
- A Pinto Access Key and a Pinto Secret Key
- A valid domain configured on Pinto DNS
- A Kubernetes cluster (v1.19+ recommended)
- Helm 3 installed on your computer
- cert-manager deployed on the cluster:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.yaml
Once everything is set up, you can now install the Pinto Webhook:
- Clone this repository:
git clone https://github.com/camaoag/cert-manager-webhook-project-pinto.git
- Run:
helm install pinto-webhook deploy/pinto-webhook
- Alternatively, you can install the webhook with default credentials with:
helm install pinto-webhook deploy/pinto-webhook --set secret.accessKey=<YOUR-ACCESS-KEY> --set secret.secretKey=<YOUR-SECRET_KEY>
The Pinto Webhook is now installed!
Note: It uses the cert-manager webhook system. Everything after the issuer is configured is just cert-manager. You can find out more in their documentation.
Now that the webhook is installed, here is how to use it.
Let's say you need a certificate for example.com
(should be registered in Pinto DNS).
First step is to create a secret containing the Pinto Access and Secret keys. Create the pinto-secret.yaml
file with the following content:
(Only needed if you don't have default credentials as seen above).
apiVersion: v1
stringData:
PINTO_OAUTH_CLIENT_ID: <YOUR-pinto-ACCESS-KEY>
PINTO_OAUTH_CLIENT_SECRET: <YOUR-pinto-SECRET-KEY>
kind: Secret
metadata:
name: pinto-secret
type: Opaque
And run:
kubectl create -f pinto-secret.yaml
Next step is to create a cert-manager Issuer
. Create a issuer.yaml
file with the following content:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-pinto-issuer
spec:
acme:
email: [email protected]
# this is the acme staging URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# for production use this URL instead
# server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: my-pinto-private-key-secret
solvers:
- dns01:
webhook:
groupName: acme.pinto.com
solverName: pinto
config:
# Only needed if you don't have default credentials as seen above.
accessKeySecretRef:
key: PINTO_OAUTH_CLIENT_ID
name: pinto-secret
secretKeySecretRef:
key: PINTO_OAUTH_CLIENT_SECRET
name: pinto-secret
# optional ->
pintoProvider: "digitalocean"
pintoApiUrl: "https://pinto.irgendwo.co"
oauthTokenUrl: "https://auth.pinto.irgendwo.co/connect/token"
And run:
kubectl create -f issuer.yaml
Finally, you can now create the Certificate
object for example.com
. Create a certificate.yaml
file with the following content:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
spec:
dnsNames:
- example.com
issuerRef:
name: my-pinto-issuer
secretName: example-com-tls
And run:
kubectl create -f certificate.yaml
After some seconds, you should see the certificate as ready:
$ kubectl get certificate example-com
NAME READY SECRET AGE
example-com True example-com-tls 1m12s
Your certificate is now available in the example-com-tls
secret!
Before running the test, you need:
- A valid domain on Pinto DNS (here
example.com
) - The variables
PINTO_OAUTH_CLIENT_ID
andPINTO_OAUTH_CLIENT_SECRET
valid and in the environment
In order to run the integration tests, run:
TEST_ZONE_NAME=example.com make test