Go Report Card GitHub license Kubernetes Compatible
alidns-webhook is a generic ACME solver for cert-manager.
This tutorial will detail how to configure and install the webhook to your cluster with alidns.
Before installing this webhook, make sure you have cert-manager installed correctly.
If you haven't installed it yet, you can get the installation instructions from the cert-manager documentation.
If you have Helm, you can deploy the alidns-webhook with the following command:
helm upgrade --install alidns-webhook alidns-webhook \ --repo https://wjiec.github.io/alidns-webhook \ --namespace cert-manager --create-namespace \ --set groupName=acme.yourcompany.com # Note: If you installed cert-manager via bitnami charts, you need to add the additional # `--set certManager.serviceAccountName=cert-manager-controller` # parameter to specify the ServiceAccount to use.
It will install the alidns-webhook in the cert-manager namespace, creating that namespace if it doesn't already exist.
If you can't get the image directly through DockerHub, you can use Aliyun's image repository by adding the following parameter to the installation command:
--set image.repository=registry.cn-hangzhou.aliyuncs.com/wjiec/alidns-webhook
Create this definition locally and update the email address and groupName to your own. Please see more details in cert-manager configuration.
Ensure the groupName matches the config in the webhook.
# # example-acme-issuer.yaml # apiVersion: v1 kind: Secret metadata: name: alidns-secret namespace: cert-manager stringData: access-key-id: "Your Access Key Id" access-key-secret: "Your Access Key Secret" --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: example-acme spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: your@example.com # Change ME # Name of a secret used to store the ACME account private key privateKeySecretRef: name: example-acme solvers: - dns01: webhook: groupName: acme.yourcompany.com # Change ME solverName: alidns config: region: "cn-hangzhou" # Optional accessKeyIdRef: name: alidns-secret key: access-key-id accessKeySecretRef: name: alidns-secret key: access-key-secret
Once edited, apply the custom resource:
kubectl create --edit -f example-acme-issuer.yaml
We can deploy a certificate directly on Ingress, edit the ingress add the annotations:
kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: foo-example-com annotations: cert-manager.io/cluster-issuer: "example-acme" # cert-manager.io/issuer: "example-acme" spec: tls: - hosts: - foo.example.com secretName: foo-example-com-tls rules: - host: foo.example.com http: paths: - path: / pathType: Prefix backend: service: name: backend-service port: name: http
Or we can create a Certificate resource that is to be honored by an issuer which is to be kept up-to-date.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: star-example-com spec: secretName: star-example-com-tls commonName: "example.com" dnsNames: - "example.com" - "*.example.com" issuerRef: name: example-acme kind: ClusterIssuer # kind: Issuer
Then we can refer to that secrets(secretName) in Ingress.
The following table lists the correspondences between alidns-webhook and k8s versions.
| Alidns-Webhook version | k8s supported version | Helm Chart Version |
|---|---|---|
| v1.0.* | 1.31, 1.30, 1.29, 1.28, 1.27, 1.26 | 1.0.* |
| v0.1.0 | 1.31, 1.30, 1.29, 1.28, 1.27, 1.26 | 0.1.* |