This is a webhook solver for DNSPod.
- cert-manager: tested with 0.8.0
$ helm install --name cert-manager-webhook-dnspod ./deploy/example-webhook- Generate API ID and API Token from DNSPod (https://support.dnspod.cn/Kb/showarticle/tsid/227/)
- Create secret to store the API Token
$ kubectl --namespace cert-manager create secret generic \
dnspod-credentials --from-literal=api-token='<DNSPOD_API_TOKEN>'- Grant permission for service-account to get the secret
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-dnspod:secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["dnspod-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: cert-manager-webhook-dnspod:secret-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-dnspod:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-dnspod- Create a staging issuer Optional
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: example.com # REPLACE THIS TO YOUR GROUP
solverName: dnspod
config:
apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!!
apiTokenSecretRef:
key: api-token
name: dnspod-credentials- Create a production issuer
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
webhook:
groupName: example.com # REPLACE THIS TO YOUR GROUP
solverName: dnspod
config:
apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!!
apiTokenSecretRef:
key: api-token
name: dnspod-credentials- Issue a certificate
#TODOSee this.
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
An example Go test file has been provided in main_test.go.
Before you can run the test suite, you need to download the test binaries:
$ mkdir __main__
$ wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-darwin-amd64.tar.gz | tar x -
$ mv kubebuilder __main__/hackThen modify testdata/my-custom-solver/config.json to setup the configs.
Now you can run the test suite with:
$ TEST_ZONE_NAME=example.com go test .