ACME Webhook for Hetzner DNS
This project provides a cert-manager ACME Webhook for Hetzner DNS and is based on the Example Webhook
This README and the inspiration for this webhook was mostly taken from Stephan Müllers INWX Webhook
Requirements
- helm >= v3.0.0
- kubernetes >= v1.14.0
- cert-manager >= 0.12.0
Configuration
The following table lists the configurable parameters of the cert-manager chart and their default values.
| Parameter | Description | Default |
|---|---|---|
groupName |
Group name of the API service. | dns.hetzner.cloud |
certManager.namespace |
Namespace where cert-manager is deployed to. | kube-system |
certManager.serviceAccountName |
Service account of cert-manager installation. | cert-manager |
image.repository |
Image repository | mecodia/cert-manager-webhook-hetzner |
image.tag |
Image tag | latest |
image.pullPolicy |
Image pull policy | Always |
service.type |
API service type | ClusterIP |
service.port |
API service port | 443 |
resources |
CPU/memory resource requests/limits | {} |
nodeSelector |
Node labels for pod assignment | {} |
affinity |
Node affinity for pod assignment | {} |
tolerations |
Node tolerations for pod assignment | [] |
Installation
cert-manager
Follow the instructions using the cert-manager documentation to install it within your cluster.
Webhook
git clone https://github.com/mecodia/cert-manager-webhook-hetzner.git
cd cert-manager-webhook-hetzner
helm install --namespace kube-system cert-manager-webhook-hetzner ./deploy/cert-manager-webhook-hetzner
Note: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace kube-system cert-manager-webhook-hetzner
Issuer
Create a ClusterIssuer or Issuer resource as following:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: mail@example.com # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: dns.hetzner.cloud
solverName: hetzner
config:
APIKey: <YOUR-DNS-API-KEY-HERE>
Credentials
For accessing the Hetzner DNS API, you need an API Token which you can create in the DNS Console.
Currently we don't provide a way to use secrets for you API KEY.
Create a certificate
Finally you can create certificates, for example:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-cert
namespace: cert-manager
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
kind: ClusterIssuer
name: letsencrypt-staging
secretName: example-cert
Development
Requirements
- go >= 1.13.0
Running the test suite
-
Download test binaries
scripts/fetch-test-binaries.sh -
Create a new test account at Hetzner DNS Console or use an existing account
-
Go to
testdata/config.jsonand replace your api key. -
Download dependencies
go mod download
<<<<<<< HEAD
- Run tests with your created domain
TEST_ZONE_NAME="$YOUR_NEW_DOMAIN." go test .
======= An example Go test file has been provided in main_test.go.
Running the full suite with microk8s
Tested with Ubuntu:
sudo snap install microk8s --classic
sudo microk8s.enable dns rbac
sudo microk8s.kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
sudo microk8s.config > /tmp/microk8s.config
export KUBECONFIG=/tmp/microk8s.config
helm install --namespace kube-system cert-manager-webhook-hetzner deploy/hetzner-webhook