cert-manager-webhook-hostsharing
ACME webhook for Hostsharing
This solver can be used when you want to use cert-manager with Hostsharing e.G..
Requirements
- buildah for building container and binaries
- helm
- kubernetes or k0s which is more lightweight
- cert-manager
Installation
cert-manager
Follow the instructions using the cert-manager documentation to install it within your cluster.
Webhook
Using public helm chart
helm repo add cert-manager-webhook-hostsharing https://seb-schulz.github.io/cert-manager-webhook-hostsharing
# Replace the groupName value with your desired domain
helm install --namespace cert-manager cert-manager-webhook-hostsharing cert-manager-webhook-hostsharing/cert-manager-webhook-hostsharing --set groupName=acme.yourdomain.tld
From local checkout
helm install --namespace cert-manager cert-manager-webhook-hostsharing deploy/cert-manager-webhook-hostsharing
Note: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace cert-manager cert-manager-webhook-hostsharing
TODO: How to generate api token
On hostsharing
Setup a domain with HSAdmin. It is recommeded to setup a user as well. Please consider the documentation for more information. In this README we are going to use the user xyz00-acme and the domain acme.example.com as an example.
- Download updater component from latest release page
- Move updater component to
~/doms/acme.example.com/fastcgi-ssl/ - Make updater executable
- Run
updater -config > config.yamlto generate config file - Generate an API key (e.x.
openssl rand -hex 32) and update config file accordingly
The following shell script does all steps except generating an API key.
domain=acme.example.com
url=https://github.com/seb-schulz/cert-manager-webhook-hostsharing/releases/latest/download
ver=$(curl -L $url/version.txt)
curl -LO "$url/updater-$ver-amd64"
curl -LO "$url/updater-$ver-amd64.sha256sum.txt"
sha256sum -c updater-$ver-amd64.sha256sum.txt && rm updater-$ver-amd64.sha256sum.txt
chmod +x updater-$ver-amd64
echo mv updater-$ver-amd64 ~/doms/$domain/fastcgi-ssl/updater
~/doms/$domain/fastcgi-ssl/updater -config > ~/doms/$domain/fastcgi-ssl/config.yaml
The config file should look similar like
zone-file: "/home/pacs/xyz00/users/acme/doms/acme.example.com/etc/pri.acme.example.com"
api-key: "random string"
template:
head: "{DEFAULT_ZONEFILE}"
Cluster Issuer
You are going to need an Issuer or ClusterIssuer on your kubernetes cluster to get all those pieces running. This readme can only provide an example. For more details, please consider the documentation about webhooks of the cert-manager project.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-staging
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cnameStrategy: Follow
webhook:
config:
apiKey: "random string"
baseUrl: https://acme.example.com/fastcgi-bin/updater
groupName: acme.example.com
solverName: hostsharing
How to…
Use let’s encrypt certificates within an intranet
TBD
Development
You can build your own binaries with make build and push the container to your private registry with make push IMAGE_NAME=registry.example.com/cert-manager-webhook-hostsharing.
All variables of the makefile, you can overwrite by creating a Makefile.variables file.
Running the test suite
You can run the test suite with:
$ make test