This solver can be used when you want to use cert-manager with CIVO DNS.
Follow the instructions using the cert-manager documentation to install it within your cluster.
helm repo add okteto https://charts.okteto.com
helm repo update
helm install --namespace cert-manager cert-manager-webhook-civo okteto/cert-manager-webhook-civo
helm install --namespace cert-manager cert-manager-webhook-civo chart/cert-manager-webhook-civo
Note: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace cert-manager cert-manager-webhook-civo
In order to access the CIVO API, the webhook needs an API token.
kubectl create secret generic civo-secret --from-literal=api-key=<YOUR_CIVO_TOKEN>
Create a ClusterIssuer
or Issuer
resource as following:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
solverName: "civo"
groupName: civo.webhook.okteto.com
config:
secretName: civo-secret
By default, the CIVO API token used will be obtained from the secret in the same namespace as the webhook.
If you would prefer to use separate API tokens for each namespace (e.g. in a multi-tenant environment):
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
solverName: "civo"
groupName: civo.webhook.okteto.com
config:
secretName: civo-secret
By default, the webhook doesn't have permissions to read secrets on all namespaces. To enable this, you'll need to provide your own service account.
Create your certificate resource as follows:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: cert-manager
spec:
commonName: example.com
dnsNames:
- example.com # REPLACE THIS WITH YOUR DOMAIN
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-cert
- Admin access to a cluster. We recommend you launch one on CIVO.
- okteto CLI
kubectl
installed and configured to talk to your cluster
- Deploy the latest version of
cert-manager
andcert-manager-webhook-civo
as per the instructions above. - Run
okteto up
from the root of this repo. This will deploy your pre-configured remote development environment, and keep your file system synchronized automatically. - Run
make
on the remote terminal to start the webhook. This will build the webhook, start it with the required configuration, and hot reload it whenever a file is changed. - Code away!
If you want to get involved, we'd love to receive a pull request, issues, or an offer to help over at the #KUBE100 channel in the Civo-Community slack or at the #Okteto channel in the Kubernetes slack.
Maintainers:
Please see the contribution guidelines