charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon truecharts

Webhook support cert-manager

Open icu-nl opened this issue 1 year ago • 5 comments

Is your feature request related to a problem?

The Clusterissuer chart currently only supports a few ACME providers. Other DNS providers are not listed, but might support ACME DNS01 validation using a cert-manager webhook.

Describe the solution you'd like

Additional configuration of clusterissuer to support custom DNS providers using webhooks for cert-manager

Describe alternatives you've considered

Moving my domains to cloudfare is a bit too much

Additional context

see https://github.com/robbietjuh/cert-manager-webhook-transip

I've read and agree with the following

  • [X] I've checked all open and closed issues and my request is not there.
  • [X] I've checked all open and closed pull requests and my request is not there.

icu-nl avatar Jan 08 '24 22:01 icu-nl

Perhaps acme.sh (https://github.com/acmesh-official/acme.sh) is a more flexible tool

icu-nl avatar Jan 09 '24 19:01 icu-nl

What does acme.sh have to do with cert-manager?

stavros-k avatar Jan 12 '24 21:01 stavros-k

There is a significant impediment to implementing this. Per the cert-manager webhook documentation, there is per-webhook custom config. For example, the TransIP webhook you linked needs accountName, ttl, and a privateKeySecretRef. This deSEC webhook that I want to use requires an apiKeySecretRef.

Because each webhook can have different fields, TrueCharts can't just add a single "custom webhook" field and call it done. Each DNS provider's webhook would need custom Helm code from TrueCharts devs (unless some Helm wizard finds a way).

IMO, this is a design flaw in the cert-manager webhook spec. I have not looked into any available documentation or discussions on how cert-manager reached this design; there may be good reason for it.

leapwill avatar Mar 01 '24 00:03 leapwill

There is a significant impediment to implementing this. Per the cert-manager webhook documentation, there is per-webhook custom config

Hence we need per-webhook enhancement requests

Each DNS provider's webhook would need custom Helm code from TrueCharts devs (unless some Helm wizard finds a way).

No that won't happen, because webhooks will be integrated in the cert-manager or clusterissuer charts. We also need to spin-up SCALE GUI, which cannot be templated at all at this time.

IMO, this is a design flaw in the cert-manager webhook spec. I have not looked into any available documentation or discussions on how cert-manager reached this design; there may be good reason for it.

The problem is that every API is differnent. So they picked the solution that would always work.

PrivatePuffin avatar Mar 01 '24 09:03 PrivatePuffin

If you want to expedite this enhancement, please consider putting a bounty on it here:

https://opencollective.com/truecharts-bounties/contribute/place-bounty-72003

PrivatePuffin avatar Mar 03 '24 13:03 PrivatePuffin