A cert-manager ACME DNS01 solver webhook for DNSimple.
- cert-manager >= 0.13 (The Helm chart uses the new API versions)
- Kubernetes >= 1.17.x
- Helm 3 (otherwise adjust the example below accordingly)
Take note of your DNSimple API token from the account settings in the automation tab. Run the following commands replacing the API token / account ID placeholders and email address:
$ helm repo add neoskop https://charts.neoskop.dev
$ helm install cert-manager-webhook-dnsimple \
--namespace cert-manager \
--dry-run \
--set dnsimple.token='<DNSIMPLE_API_TOKEN>' \
--set dnsimple.accountID='<DNSIMPLE_ACCOUNT_ID>' # Only needed if using a User API token \
--set clusterIssuer.production.enabled=true \
--set clusterIssuer.staging.enabled=true \
--set clusterIssuer.email=email@example.com \
neoskop/cert-manager-webhook-dnsimple(Alternatively you can check out this repository and substitute neoskop/cert-manager-webhook-dnsimple with ./deploy/dnsimple)
Afterwards issue a certificate:
$ cat << EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dnsimple-test
namespace: default
spec:
dnsNames:
- test.example.com
issuerRef:
name: cert-manager-webhook-dnsimple-production
kind: ClusterIssuer
secretName: dnsimple-test-tls
EOFThe Helm chart accepts the following values:
| name | required | description | default value |
|---|---|---|---|
dnsimple.token |
✔️ | DNSimple API Token | empty |
dnsimple.accountID |
DNSimple Account ID (required for User tokens) | empty | |
clusterIssuer.email |
LetsEncrypt Admin Email | name@example.com |
|
clusterIssuer.production.enabled |
Create a production ClusterIssuer |
false |
|
clusterIssuer.staging.enabled |
Create a staging ClusterIssuer |
false |
|
image.repository |
✔️ | Docker image for the webhook solver | neoskop/cert-manager-webhook-dnsimple |
image.tag |
✔️ | Docker image tag of the solver | latest |
image.pullPolicy |
✔️ | Image pull policy of the solver | IfNotPresent |
logLevel |
Set the verbosity of the solver | empty | |
groupName |
✔️ | Identifies the company that created the webhook | acme.neoskop.de |
certManager.namespace |
✔️ | The namespace cert-manager was installed to | cert-manager |
certManager.serviceAccountName |
✔️ | The service account cert-manager runs under | cert-manager |
All cert-manager webhooks have to pass the DNS01 provider conformance testing suite. To run that test suite on this plug-in download the test binaries:
$ mkdir -p __main__/hack
$ wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-linux-amd64.tar.gz | tar xz --strip-components=1 -C __main__/hackThen set-up testdata/dnsimple/config.json and testdata/dnsimple/dnsimple-token.yaml according to the README.
Execute the test suite replacing TEST_ZONE_NAME with a DNS name you have control over with your DNSimple account:
# Mind the trailing dot in the TEST_ZONE_NAME value
$ TEST_ZONE_NAME=example.com. go test .After you committed all of your changes, run the following command to tag a new version and build and push a new Docker image tag as well as a new Helm chart:
$ ./scripts/release.sh <patch|minor|major>