This solver can be used when you want to use cert-manager with the hosting.de DNS API. API documentation is here
- go >= 1.14.0
- helm >= v3.0.0
- kubernetes >= v1.14.0
- cert-manager >= 0.15.0
Follow the instructions using the cert-manager documentation to install it within your cluster.
helm install --namespace cert-manager cert-manager-webhook-hostingde deploy/cert-manager-webhook-hostingdeNote: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace cert-manager cert-manager-webhook-hostingdeAlternatively, generate manifests from the template and apply them manually:
helm template --namespace cert-manager cert-manager-webhook-hostingde deploy/cert-manager-webhook-hostingdeCreate a ClusterIssuer or Issuer resource as following:
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: hosting.de
solverName: hostingde
config:
secretName: hostingde-secret
zoneName: example.com # (Optional): When not provided the Zone will searched via API by recursion on full domain name
TTL: 60In order to access the hosting.de API, the webhook needs an API token.
If you choose another name for the secret than hostingde-secret, ensure you modify the value of secretName in the [Cluster]Issuer.
The secret for the example above will look like this:
---
apiVersion: v1
kind: Secret
metadata:
name: hostingde-secret
namespace: cert-manager
type: Opaque
data:
api-key: your-key-base64-encodedFinally you can create certificates, for example:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: default
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-certor via Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- hosts:
- "example.com"
secretName: hello-world
rules:
- host: "example.com"
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: hello-world
port:
number: 80All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
First, you need to have hosting.de account with access to the DNS control panel. You need to create an API token and have a registered DNS zone there.
Then you need to copy testdata-template to testdata. Optionally replace the zoneName parameter at testdata/hostingde/config.json file with an actual one. If zoneName is not provided it will be searched via the API by recursion starting from TEST_ZONE_NAME
You also must encode your api token into base64 and put it into the testdata/hostingde/secret.yml file:
In case there is a source IP restriction for the API key, you will also need to add your public IP address in the hosting.de control panel.
echo -n APIKEY | base64You can then run the test suite with:
# first install necessary binaries (only required once)
scripts/fetch-test-binaries.sh
# then run the tests
TEST_ZONE_NAME=example.org. make verify- Increase
versioninChart.yaml. - Create a GitHub release with the same value, e.g.
1.2.0.