initial commit

.gitignore

@@ -12,7 +12,7 @@
 *.out
 
 # Ignore the built binary
-cert-manager-webhook-example
+cert-manager-webhook-porkbun
 
 # Make artifacts
 _out

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.16-alpine AS build_deps
+FROM docker.io/library/golang:1.16-alpine AS build_deps
 
 RUN apk add --no-cache git
 
@@ -15,7 +15,7 @@ COPY . .
 
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.9
+FROM docker.io/library/alpine:3.9
 
 RUN apk add --no-cache ca-certificates
 

Makefile

@@ -1,7 +1,7 @@
 OS ?= $(shell go env GOOS)
 ARCH ?= $(shell go env GOARCH)
 
-IMAGE_NAME := "webhook"
+IMAGE_NAME := "porkbun-webhook"
 IMAGE_TAG := "latest"
 
 OUT := $(shell pwd)/_out
@@ -27,12 +27,12 @@ clean-kubebuilder:
 	rm -Rf _test/kubebuilder
 
 build:
-	docker build -t "$(IMAGE_NAME):$(IMAGE_TAG)" .
+	podman build -t "$(IMAGE_NAME):$(IMAGE_TAG)" .
 
 .PHONY: rendered-manifest.yaml
 rendered-manifest.yaml:
 	helm template \
-	    --name example-webhook \
+	    --name porkbun-webhook \
         --set image.repository=$(IMAGE_NAME) \
         --set image.tag=$(IMAGE_TAG) \
-        deploy/example-webhook > "$(OUT)/rendered-manifest.yaml"
+        deploy/porkbun-webhook > "$(OUT)/rendered-manifest.yaml"

README.md

@@ -1,54 +1,72 @@
-# ACME webhook example
-
-The ACME issuer type supports an optional 'webhook' solver, which can be used
-to implement custom DNS01 challenge solving logic.
-
-This is useful if you need to use cert-manager with a DNS provider that is not
-officially supported in cert-manager core.
-
-## Why not in core?
-
-As the project & adoption has grown, there has been an influx of DNS provider
-pull requests to our core codebase. As this number has grown, the test matrix
-has become un-maintainable and so, it's not possible for us to certify that
-providers work to a sufficient level.
-
-By creating this 'interface' between cert-manager and DNS providers, we allow
-users to quickly iterate and test out new integrations, and then packaging
-those up themselves as 'extensions' to cert-manager.
-
-We can also then provide a standardised 'testing framework', or set of
-conformance tests, which allow us to validate the a DNS provider works as
-expected.
-
-## Creating your own webhook
-
-Webhook's themselves are deployed as Kubernetes API services, in order to allow
-administrators to restrict access to webhooks with Kubernetes RBAC.
-
-This is important, as otherwise it'd be possible for anyone with access to your
-webhook to complete ACME challenge validations and obtain certificates.
-
-To make the set up of these webhook's easier, we provide a template repository
-that can be used to get started quickly.
-
-### Creating your own repository
-
-### Running the test suite
+# Porkbun Webhook solver for Cert Manager
+
+This is an unofficial webhook solver for [Cert Manager](https://cert-manager.io/) and [Porkbun](https://porkbun.com/).
+
+## Usage
+
+1. Deploy the webhook:
+
+    ```
+    helm install porkbun-webhook ./deploy/porkbun-webhook \
+        --set groupName=<your group>
+    ```
+
+2. Create a secret containing your [API key](https://porkbun.com/account/api):
+
+    ```
+    kubectl create secret generic porkbun-key \
+        --from-literal=api-key=<your key> \
+        --from-literal=secret-key=<your key>
+    ```
+
+3. Create a role and role binding:
+
+    ```
+    kubectl apply -f rbac.yaml
+    ```
+
+4. Configure a certificate issuer:
+
+    ```yaml
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: letsencrypt
+    spec:
+      acme:
+        server: https://acme-v02.api.letsencrypt.org/directory
+        email: <your e-mail>
+        privateKeySecretRef:
+          name: letsencrypt-key
+        solvers:
+          - selector:
+              dnsZones:
+                - <your domain>
+            dns01:
+              webhook:
+                groupName: <your group>
+                solverName: porkbun
+                config:
+                  apiKeySecretRef:
+                    name: porkbun-key
+                    key: api-key
+                  secretKeySecretRef:
+                    name: porkbun-key
+                    key: secret-key
+    ```
+
+## Running the test suite
 
 All DNS providers **must** run the DNS01 provider conformance testing suite,
 else they will have undetermined behaviour when used with cert-manager.
 
 **It is essential that you configure and run the test suite when creating a
 DNS01 webhook.**
 
-An example Go test file has been provided in [main_test.go](https://github.com/jetstack/cert-manager-webhook-example/blob/master/main_test.go).
+To run the tests, first put your api key into testdata/porkbun-solver/porkbun-secret.yaml.
 
-You can run the test suite with:
+Then you can run the test suite with:
 
 ```bash
-$ TEST_ZONE_NAME=example.com. make test
+TEST_ZONE_NAME=<your domain>. make test
 ```
-
-The example file has a number of areas you must fill in and replace with your
-own options in order for tests to pass.

deploy/porkbun-webhook/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Porkbun solver for Cert Manager.
+name: porkbun-webhook
+version: 0.1.0

deploy/example-webhook/templates/_helpers.tpl → deploy/porkbun-webhook/templates/_helpers.tpl

@@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "example-webhook.name" -}}
+{{- define "porkbun-webhook.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
@@ -11,7 +11,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "example-webhook.fullname" -}}
+{{- define "porkbun-webhook.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@@ -27,22 +27,22 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "example-webhook.chart" -}}
+{{- define "porkbun-webhook.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{- define "example-webhook.selfSignedIssuer" -}}
-{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }}
+{{- define "porkbun-webhook.selfSignedIssuer" -}}
+{{ printf "%s-selfsign" (include "porkbun-webhook.fullname" .) }}
 {{- end -}}
 
-{{- define "example-webhook.rootCAIssuer" -}}
-{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
+{{- define "porkbun-webhook.rootCAIssuer" -}}
+{{ printf "%s-ca" (include "porkbun-webhook.fullname" .) }}
 {{- end -}}
 
-{{- define "example-webhook.rootCACertificate" -}}
-{{ printf "%s-ca" (include "example-webhook.fullname" .) }}
+{{- define "porkbun-webhook.rootCACertificate" -}}
+{{ printf "%s-ca" (include "porkbun-webhook.fullname" .) }}
 {{- end -}}
 
-{{- define "example-webhook.servingCertificate" -}}
-{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }}
+{{- define "porkbun-webhook.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "porkbun-webhook.fullname" .) }}
 {{- end -}}

deploy/example-webhook/templates/apiservice.yaml → deploy/porkbun-webhook/templates/apiservice.yaml

@@ -3,17 +3,17 @@ kind: APIService
 metadata:
   name: v1alpha1.{{ .Values.groupName }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "porkbun-webhook.name" . }}
+    chart: {{ include "porkbun-webhook.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
   annotations:
-    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}"
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "porkbun-webhook.servingCertificate" . }}"
 spec:
   group: {{ .Values.groupName }}
   groupPriorityMinimum: 1000
   versionPriority: 15
   service:
-    name: {{ include "example-webhook.fullname" . }}
+    name: {{ include "porkbun-webhook.fullname" . }}
     namespace: {{ .Release.Namespace }}
   version: v1alpha1

deploy/example-webhook/templates/deployment.yaml → deploy/porkbun-webhook/templates/deployment.yaml

@@ -1,25 +1,25 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "example-webhook.fullname" . }}
+  name: {{ include "porkbun-webhook.fullname" . }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "porkbun-webhook.name" . }}
+    chart: {{ include "porkbun-webhook.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      app: {{ include "example-webhook.name" . }}
+      app: {{ include "porkbun-webhook.name" . }}
       release: {{ .Release.Name }}
   template:
     metadata:
       labels:
-        app: {{ include "example-webhook.name" . }}
+        app: {{ include "porkbun-webhook.name" . }}
         release: {{ .Release.Name }}
     spec:
-      serviceAccountName: {{ include "example-webhook.fullname" . }}
+      serviceAccountName: {{ include "porkbun-webhook.fullname" . }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -53,7 +53,7 @@ spec:
       volumes:
         - name: certs
           secret:
-            secretName: {{ include "example-webhook.servingCertificate" . }}
+            secretName: {{ include "porkbun-webhook.servingCertificate" . }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

deploy/example-webhook/templates/pki.yaml → deploy/porkbun-webhook/templates/pki.yaml

@@ -4,11 +4,11 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: {{ include "example-webhook.selfSignedIssuer" . }}
+  name: {{ include "porkbun-webhook.selfSignedIssuer" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "porkbun-webhook.name" . }}
+    chart: {{ include "porkbun-webhook.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
@@ -20,19 +20,19 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "example-webhook.rootCACertificate" . }}
+  name: {{ include "porkbun-webhook.rootCACertificate" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "porkbun-webhook.name" . }}
+    chart: {{ include "porkbun-webhook.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
-  secretName: {{ include "example-webhook.rootCACertificate" . }}
+  secretName: {{ include "porkbun-webhook.rootCACertificate" . }}
   duration: 43800h # 5y
   issuerRef:
-    name: {{ include "example-webhook.selfSignedIssuer" . }}
-  commonName: "ca.example-webhook.cert-manager"
+    name: {{ include "porkbun-webhook.selfSignedIssuer" . }}
+  commonName: "ca.porkbun-webhook.cert-manager"
   isCA: true
 
 ---
@@ -41,36 +41,36 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: {{ include "example-webhook.rootCAIssuer" . }}
+  name: {{ include "porkbun-webhook.rootCAIssuer" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "porkbun-webhook.name" . }}
+    chart: {{ include "porkbun-webhook.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
   ca:
-    secretName: {{ include "example-webhook.rootCACertificate" . }}
+    secretName: {{ include "porkbun-webhook.rootCACertificate" . }}
 
 ---
 
 # Finally, generate a serving certificate for the webhook to use
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "example-webhook.servingCertificate" . }}
+  name: {{ include "porkbun-webhook.servingCertificate" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
+    app: {{ include "porkbun-webhook.name" . }}
+    chart: {{ include "porkbun-webhook.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
-  secretName: {{ include "example-webhook.servingCertificate" . }}
+  secretName: {{ include "porkbun-webhook.servingCertificate" . }}
   duration: 8760h # 1y
   issuerRef:
-    name: {{ include "example-webhook.rootCAIssuer" . }}
+    name: {{ include "porkbun-webhook.rootCAIssuer" . }}
   dnsNames:
-  - {{ include "example-webhook.fullname" . }}
-  - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}
-  - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "porkbun-webhook.fullname" . }}
+  - {{ include "porkbun-webhook.fullname" . }}.{{ .Release.Namespace }}
+  - {{ include "porkbun-webhook.fullname" . }}.{{ .Release.Namespace }}.svc