This project provides a cert-manager ACME Webhook for Hetzner DNS and is based on the Example Webhook
This README and the inspiration for this webhook was mostly taken from Stephan Müllers INWX Webhook.
The Helm Chart is automatically published via github pages.
- helm >= v3.0.0
- kubernetes
- cert-manager
- webhook image: v0.5.0
- cert-manager: v1.12.5
- kubernetes: v1.26.7
The following table lists the configurable parameters of the cert-manager chart and their default values.
| Parameter | Description | Default |
|---|---|---|
groupName |
Group name of the API service. | dns.hetzner.cloud |
certManager.namespace |
Namespace where cert-manager is deployed to. | kube-system |
certManager.serviceAccountName |
Service account of cert-manager installation. | cert-manager |
image.repository |
Image repository | mecodia/cert-manager-webhook-hetzner |
image.tag |
Image tag | latest |
image.pullPolicy |
Image pull policy | Always |
service.type |
API service type | ClusterIP |
service.port |
API service port | 443 |
resources |
CPU/memory resource requests/limits | {} |
nodeSelector |
Node labels for pod assignment | {} |
affinity |
Node affinity for pod assignment | {} |
tolerations |
Node tolerations for pod assignment | [] |
Follow the instructions using the cert-manager documentation to install it within your cluster.
git clone https://github.com/mecodia/cert-manager-webhook-hetzner.git
cd cert-manager-webhook-hetzner
helm install --namespace kube-system cert-manager-webhook-hetzner ./charts/cert-manager-webhook-hetznerNote: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace kube-system cert-manager-webhook-hetznerCreate a ClusterIssuer or Issuer resource as following:
---
apiVersion: v1
kind: Secret
metadata:
name: cert-manager-webhook-hetzner-key
data:
apiKey: <YOUR-BASE64-ENCODED-DNS-API-KEY-HERE>
type: Opaque
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL (attention, this is the staging one!)
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- dns01:
webhook:
groupName: dns.hetzner.cloud
solverName: hetzner
config:
apiKeySecretRef:
name: cert-manager-webhook-hetzner-key
key: apiKeyFor accessing the Hetzner DNS API, you need an API Token which you can create in the DNS Console.
Currently, we don't provide a way to use secrets for you API KEY.
Finally, you can create certificates, for example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-wildcard-cert
namespace: cert-manager
spec:
commonName: "*.example.com"
dnsNames:
- "*.example.com"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-staging
secretName: example-cert- go >= 1.21
-
Create a new test account at Hetzner DNS Console or use an existing account
-
Go to
testdata/hcloud-dns/config.jsonand replace your api key. -
Download dependencies
go mod download
-
Run tests (replace zone name with one of your zones)
env TEST_ZONE_NAME='warbl.net.' make test
Dockerhub is set up to automatically build images from tagged commits.
Example tags are:
cert-manager-webhook-hetzner-0.3.0-rc4
cert-manager-webhook-hetzner-0.3.0
cert-manager-webhook-hetzner-0.1
cert-manager-webhook-hetzner-1.1
Github should take care of the helm chart updates.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent