This solver can be used when you want to use cert-manager with Hurricane Electric hosted DNS zones.
Note This is almost direct copy of vadikim's cert-manager-webhook-hetzner with heavy adjustments to accomodate using Hurricane Electric's Dynamic DNS interface.
This is not considered ready for production, nor has it been tested. I do not know enough Go to make heads or tails about the code but I know enough to be dangerous.
This version is provided as-is, without any guarantees that it won't wreck your coffee maker or kubernetes installation. Use at your own risk!
- go >= 1.17.0
- helm >= v3.0.0
- kubernetes >= v1.21.1
- cert-manager >= 1.7.0
Follow the instructions using the cert-manager documentation to install it within your cluster.
helm repo add cert-manager-webhook-henet https://diftraku.github.io/cert-manager-webhook-henet
# Replace the groupName value with your desired domain
helm install --namespace cert-manager cert-manager-webhook-henet cert-manager-webhook-henet/cert-manager-webhook-henet --set groupName=acme.yourdomain.tldhelm install --namespace cert-manager cert-manager-webhook-henet deploy/cert-manager-webhook-henetNote: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace cert-manager cert-manager-webhook-henetCreate a ClusterIssuer or Issuer resource as following:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
# This group needs to be configured when installing the helm package, otherwise the webhook won't have permission to create an ACME challenge for this API group.
groupName: acme.yourdomain.tld
solverName: hurricane-electric
config:
secretName: henet-secret
apiUrl: https://dyn.dns.he.netIn order to access the henet API, the webhook needs an API token.
If you choose another name for the secret than henet-secret, ensure you modify the value of secretName in the [Cluster]Issuer.
The secret for the example above will look like this:
apiVersion: v1
kind: Secret
metadata:
name: henet-secret
namespace: cert-manager
type: Opaque
data:
password: your-key-base64-encodedFinally you can create certificates, for example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: cert-manager
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-certAll DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
First, you need to have a Hurricane Electric account with access to the DNS control panel. You need to create a new TXT record with the name of cert-manager-dns01-tests, use TTL of 5 minutes and ensure Enable entry for dynamic dns is checked. Use the circular arrows icon to set or generate the key for dynamic updates.
You can either set the zoneName parameter in testdata/henet/config.json to your zone name or use the TEST_ZONE_NAME as in the example below.
You also must encode your key into base64 and put the hash into testdata/henet/henet-secret.yml file.
You can run the test suite with:
$ TEST_ZONE_NAME=example.com. make test