Usage:
helm install desec-http oci://ghcr.io/irreleph4nt/cert-manager-webhook-desec-http -f values.yaml -n cert-manager
Testing:
TEST_DOMAIN_NAME=<domain name> TEST_SECRET=$(echo -n '<DESEC API TOKEN>' | base64) make test
desec-http | built with | notable features |
---|---|---|
v1.0.1 | cert-manager v1.13 | deSEC API Rate limiting log.SetLogger(...) fix |
v1.0.0 | cert-manager v1.11 | initial release |
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: desec-http
namespace: cert-manager
spec:
acme:
email: <YOUR ACME E-MAIL ADDRESS>
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cert-manager-desec-http-secret
solvers:
- dns01:
webhook:
groupName: <YOUR GROUP NAME>
solverName: desec-http
config:
apiUrl: https://desec.io/api/v1
domainName: <YOUR DNS ZONE>
secretName: cert-domain-tls-key-<YOUR DNS ZONE>
secretKeyName: desec-token
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: cert-domain-tls-key-<DNS ZONE>
namespace: cert-manager
stringData:
desec-token: <YOUR DESEC TOKEN>
groupName: <YOUR DNS ZONE>
certManager:
serviceAccountName: cert-manager
namespace: cert-manager
image:
repository: ghcr.io/irreleph4nt/cert-manager-webhook-desec-http
tag: ""
pullPolicy: IfNotPresent
replicaCount: 1
nameOverride: ""
fullnameOverride: ""
service:
type: ClusterIP
port: 443
secretName:
- cert-domain-tls-key-<YOUR DNS ZONE>
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 250m
memory: 256Mi
podSecurityContext:
enabled: true
fsGroup: 1001
containerSecurityContext:
enabled: true
runAsUser: 1001
readOnlyRootFilesystem: true
runAsNonRoot: true
This webhook was inspired by dmahmalat/cert-manager-webhook-google-domains, which solves DNS01 challenges by interacting with Google's public ACME API over HTTP requests. In that way, desec-http is more similar to it than to kmorning/cert-manager-webhook-desec, which re-implements parts of the deSEC API in GO to achieve the same result.