Vultr Webhook for Cert Manager
This is a webhook solver for Vultr to be used with Cert-Manager
Prerequisites
There are a few things required before you can start using cert-manager-webhook-vultr.
- Helm v3+ is required to install the
cert-manager-webhook-vultrcharts - Cert-Manager needs to be running on your cluster prior.
Installation
Installing the webhook
First, you will need to deploy a secret with your api key.
You can do this by using the sample yaml in testdata/vultr/api-key.yaml.sample or by running the following kubectl command:
kubectl create secret generic "vultr-credentials" --from-literal=apiKey=<VULTR API KEY> --namespace=cert-managerSecond, you will need to deploy the cert-manager-webhook-vultr. We have a helm chart that makes installation of this fairly straightforward.
helm install --namespace cert-manager cert-manager-webhook-vultr ./deploy/cert-manager-webhook-vultrThis will deploy all necessary services, deployments, rbac, and various other resources required for cert-manager.
To uninstall the webhook run the following:
helm uninstall cert-manager-webhook-vultr --namespace=cert-managerDeploying a ClusterIssuer
Below we will deploy a ClusterIssuer which will use LetsEncrypt staging environment
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: <enter your email address>
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: acme.vultr.com
solverName: vultr
config:
apiKeySecretRef:
key: apiKey
name: vultr-credentialsWe also need to grant permissions for the service account to be able to grab the secret .
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-vultr:secret-reader
namespace: cert-manager
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["vultr-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-vultr:secret-reader
namespace: cert-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-vultr:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-vultrRequest a certificate
The Certificate resource represents a human readable definition of a certificate request that is to be honored by an issuer which is to be kept up-to-date.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: staging-cert-example-com
spec:
commonName: example.com # REPLACE THIS WITH YOUR DOMAIN
dnsNames:
- example.com # REPLACE THIS WITH YOUR DOMAIN
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-com-tlsTo check on the certificate run the following:
kubectl describe certificate staging-cert-example-comTo delete a certificate run the following:
kubectl delete certificate staging-cert-example-comTroubleshooting
Cert-Manager has a great page that describes how to troubleshoot.
Running the test suite
You can run the test suite with:
$ TEST_ZONE_NAME=example.com. make test