alidns-webhook is a generic ACME solver for cert-manager.
This tutorial will detail how to configure and install the webhook to your cluster with alidns.
Before installing this webhook, make sure you have cert-manager
installed correctly.
If you haven't installed it yet, you can get the installation instructions from the cert-manager documentation.
If you have Helm, you can deploy the alidns-webhook with the following command:
helm upgrade --install alidns-webhook alidns-webhook \
--repo https://wjiec.github.io/alidns-webhook \
--namespace cert-manager --create-namespace \
--set groupName=acme.yourcompany.com
# Note: If you installed cert-manager via bitnami charts, you need to add the additional
# `--set certManager.serviceAccountName=cert-manager-controller`
# parameter to specify the ServiceAccount to use.
It will install the alidns-webhook in the cert-manager namespace, creating that namespace if it doesn't already exist.
If you can't get the image directly through DockerHub, you can use Aliyun's image repository by adding the following parameter to the installation command:
--set image.repository=registry.cn-hangzhou.aliyuncs.com/wjiec/alidns-webhook
Create this definition locally and update the email address and groupName to your own. Please see more details in cert-manager configuration.
Ensure the groupName
matches the config in the webhook.
#
# example-acme-issuer.yaml
#
apiVersion: v1
kind: Secret
metadata:
name: alidns-secret
namespace: cert-manager
stringData:
access-key-id: "Your Access Key Id"
access-key-secret: "Your Access Key Secret"
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: example-acme
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # Change ME
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: example-acme
solvers:
- dns01:
webhook:
groupName: acme.yourcompany.com # Change ME
solverName: alidns
config:
region: "cn-hangzhou" # Optional
accessKeyIdRef:
name: alidns-secret
key: access-key-id
accessKeySecretRef:
name: alidns-secret
key: access-key-secret
Once edited, apply the custom resource:
kubectl create --edit -f example-acme-issuer.yaml
We can deploy a certificate directly on Ingress, edit the ingress add the annotations:
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: foo-example-com
annotations:
cert-manager.io/cluster-issuer: "example-acme"
# cert-manager.io/issuer: "example-acme"
spec:
tls:
- hosts:
- foo.example.com
secretName: foo-example-com-tls
rules:
- host: foo.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend-service
port:
name: http
Or we can create a Certificate resource that is to be honored by an issuer which is to be kept up-to-date.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: star-example-com
spec:
secretName: star-example-com-tls
commonName: "example.com"
dnsNames:
- "example.com"
- "*.example.com"
issuerRef:
name: example-acme
kind: ClusterIssuer
# kind: Issuer
Then we can refer to that secrets(secretName
) in Ingress.
The following table lists the correspondences between alidns-webhook and k8s versions.
Alidns-Webhook version | k8s supported version | Helm Chart Version |
---|---|---|
v1.0.1 | 1.31, 1.30, 1.29, 1.28, 1.27, 1.26 | 1.0.* |
v0.1.0 | 1.31, 1.30, 1.29, 1.28, 1.27, 1.26 | 0.1.* |