This solver can be used when you want to use cert-manager with Oracle Cloud Infrastructure as a DNS provider.
- go >= 1.19.4 only for development
- helm >= v3.10.2
- kubernetes >= v1.24.0
- cert-manager >= 1.10.1
git clone https://github.com/pacphi/cert-manager-webhook-oci
Follow the instructions using the cert-manager documentation to install it within your cluster.
Must be installed in the same namespace as cert-manager. I use kube-certmanager, if you use another add --set certManager.namespace=your_certmanager_namespace
# there is only x86_64 and arm64 images
helm repo add highcanfly https://helm-repo.highcanfly.club/
helm repo update
helm install --namespace kube-certmanager cert-manager-webhook-oci highcanfly/cert-manager-webhook-oci
Note: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace kube-certmanager cert-manager-webhook-oci
Create a ClusterIssuer
or Issuer
resource as following:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: kube-certmanager
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: acme.d-n.be
solverName: oci
config:
ociProfileSecretName: oci-profile
compartmentOCID: ocid-of-compartment-to-use
In order to access the Oracle Cloud Infrastructure API, the webhook needs an OCI profile configuration.
If you choose another name for the secret than oci-profile
, ensure you modify the value of ociProfileSecretName
in the [Cluster]Issuer
.
The secret for the example above will look like this:
apiVersion: v1
kind: Secret
metadata:
name: oci-profile
namespace: kube-certmanager
type: Opaque
stringData:
tenancy: "your tenancy ocid"
user: "your user ocid"
region: "your region"
fingerprint: "your key fingerprint"
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
...KEY DATA HERE...
-----END RSA PRIVATE KEY-----
privateKeyPassphrase: "private keys passphrase or empty string if none"
Finally you can create certificates, for example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: kube-certmanager
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: letsencrypt-staging
secretName: example-cert
Update the version of go
in go.mod
(currently 1.19), then:
go get -u
go mod tidy
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
First, create an Oracle Cloud Infrastructure account and ensure you have a DNS zone set up.
Next, create config files based on the *.sample
files in the testdata/oci
directory.
You can then run the test suite with:
TEST_ZONE_NAME=example.com. make test
- Original repository - https://gitlab.com/dn13/cert-manager-webhook-oci/
- Fixes and updates - https://gitlab.com/jcotton/cert-manager-webhook-oci/-/tree/fix_and_update
- Gist - https://gist.github.com/pacphi/05e6bd49b312bb92b2db1d70beb5c69c