STACKIT Webhook Integration for Cert Manager
Facilitate a webhook integration for leveraging the STACKIT DNS alongside
its API to act as a DNS01
ACME Issuer with cert-manager.
Installation
helm install stackit-cert-manager-webhook \
--namespace cert-manager \
https://github.com/stackitcloud/stackit-cert-manager-webhook/releases/download/v0.1.1/stackit-cert-manager-webhook-v0.1.1.tgz
Usage
-
Initiation of STACKIT Authentication Token Secret:
kubectl create secret generic stackit-cert-manager-webhook \
--namespace=cert-manager \
--from-literal=auth-token=<STACKIT AUTH TOKEN>
-
Configuration of ClusterIssuer/Issuer:
For scenarios wherein zones and record sets are encapsulated within a singular project, utilize a ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: example@example.com # Replace this with your email address
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
webhook:
solverName: stackit
groupName: stackit.de
config:
projectId: <STACKIT PROJECT ID>
For diverse project architectures where zones are spread across varying projects, necessitating distinct
authentication tokens per project, the Issuer configuration becomes pertinent. This approach inherently
tethers namespaces to individual projects.
kubectl create secret generic stackit-cert-manager-webhook \
--namespace=default \
--from-literal=auth-token=<STACKIT AUTH TOKEN>
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: default
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: example@example.com # Replace this with your email address
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
webhook:
solverName: stackit
groupName: stackit.de
config:
projectId: <STACKIT PROJECT ID>
authTokenSecretNamespace: default
Note: Ensure the creation of an authentication token secret within the namespace linked to the issuer.
The secret must be vested with permissions to access zones in the stipulated project configuration.
Test Procedures
Release Process Overview
Our release pipeline leverages goreleaser for the generation and publishing of release assets.
This sophisticated approach ensures the streamlined delivery of:
- Pre-compiled binaries tailored for various platforms.
- Docker images optimized for production readiness.
However, one should be cognizant of the fact that goreleaser doesn't inherently support Helm chart distributions
as part of its conventional workflow. Historically, the incorporation of Helm charts into our releases demanded manual
intervention. Post the foundational release generation via goreleaser, the Helm chart was affixed as an asset through
manual processes.
For those interested in the Helm chart creation mechanics, the process was facilitated via the command:
helm package deploy/stackit
To release a new version of the Helm chart, one must meticulously update the version delineation in the
Chart.yaml. Post this modification, initiate a new release to encompass these changes.