Cert-manager ACME DNS webhook provider for ionos. see: https://cert-manager.io/docs/configuration/acme/dns01/webhook/
see: https://cert-manager.io/docs/installation/kubernetes/
Add helm repo
helm repo add cert-manager-webhook-ionos https://fabmade.github.io/cert-manager-webhook-ionos
install helm chart
helm install cert-manager-webhook-ionos cert-manager-webhook-ionos/cert-manager-webhook-ionos -ncert-manager
add secret
apiVersion: v1
stringData:
IONOS_PUBLIC_PREFIX: <your-public-key>
IONOS_SECRET: <your-private-key>
kind: Secret
metadata:
name: ionos-secret
namespace: cert-manager
type: Opaque
add staging cluster issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-ionos-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your-email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-ionos-staging-key
# Enable the dns01 challenge provider
solvers:
- dns01:
webhook:
groupName: acme.fabmade.de
solverName: ionos
config:
apiUrl: https://api.hosting.ionos.com/dns/v1
publicKeySecretRef:
key: IONOS_PUBLIC_PREFIX
name: ionos-secret
secretKeySecretRef:
key: IONOS_SECRET
name: ionos-secret
add prod cluster issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-ionos-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your-email-address>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-ionos-prod
# Enable the dns01 challenge provider
solvers:
- dns01:
webhook:
groupName: acme.fabmade.de
solverName: ionos
config:
apiUrl: https://api.hosting.ionos.com/dns/v1
publicKeySecretRef:
key: IONOS_PUBLIC_PREFIX
name: ionos-secret
secretKeySecretRef:
key: IONOS_SECRET
name: ionos-secret
add ingress or certificate for example.com domain (replace it with your domain)
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-test-com
namespace: your-namespace
spec:
dnsNames:
- '*.example.com'
issuerRef:
name: letsencrypt-ionos-staging
kind: ClusterIssuer
secretName: example-test-com-tls
replace service "mybackend" with your own service
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-ionos-staging
name: example-wildcard-ingress
namespace: your-namespace
spec:
rules:
- host: '*.example.com'
http:
paths:
- backend:
service:
name: mybackend
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- '*.example.com'
secretName: example-ionos-tls-prod
If your cluster DNS cannot resolve api.hosting.ionos.com (e.g. when using internal DNS servers), you can override the webhook pod's DNS settings:
helm install cert-manager-webhook-ionos cert-manager-webhook-ionos/cert-manager-webhook-ionos \
-n cert-manager \
--set dnsPolicy=None \
--set dnsConfig.nameservers[0]=1.1.1.1 \
--set dnsConfig.nameservers[1]=8.8.8.8
helm uninstall cert-manager-webhook-ionos -ncert-manager
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
An example Go test file has been provided in main_test.go.
You can run the test suite with:
$ TEST_ZONE_NAME=example.com. make testThe example file has a number of areas you must fill in and replace with your own options in order for tests to pass.