cert-manager webhook

[MrRulf]

Hello, I wanted to suggest to make a cert-mamager webhook for desec.
cert-manager is one of the best tools at what it does and desec is barely usable with it. The webhook that already exists seems deprecated and out of support, nor working with kubernetes above version 1.25 and rfc2136, which would allow direct support from cert-manager, is an open issue/feature request for desec since three years.
With TrueCharts also moving to mainly using cert-manager, this could be quite intresting for many people and make it easier, to stay independent from cloudflare.

[nils-wisiol]

deSEC has integration for cerbot: https://pypi.org/project/certbot-dns-desec/

Can you list concrete API requirements that are needed for better support in cert-manager? Why is certbot support not sufficient?

It appears from the webhook docs that RFC2136 is only one option to implement compatibility with cert-manager.

[MrRulf]

Most of the following are not experiences I made or stuff that I can assure because I'm an expert. I'm new to the space and most of the following comes out of the research I did for setting up my stuff.

Why is certbot support not sufficient?

afaik cert-manager hast "two" big advantages over certbot.

1. cert-manager is the most industrious proven solution (or at least for kubernetes)
2. certbot seems to have issues with kubernetes, while cert-manager is basically the standard there. Therefore, cert-manager is usable more universally.

Can you list concrete API requirements that are needed for better support in cert-manager?

Right now there are three ways to support cert-manager.

1. Be supported. Baked in support like cloudflare has. However cert-manager does not allow new ones anymore, for that there are webhooks.
2. Webhooks.
3. support rfc2136

From what I know rfc2136 is the ideal way, however #357 indicated that support for that will not come any time soon and it's quite complicated to implement.
With support from cert-manager being unrealistic, webhooks are the only option left. With a deprecated webhook already existing that option shouldn't be much work, since the only known issue the deprecated webhook has is using an outdated version of something.

Now, I would do it by myself, but there are three reasons stopping me from that.

• First one is, that if the feature is provided by the community, there's always the risk that the one dev behind it stops developing it further.
• Also, I'm new to all of this, even when I would get it to run, I couldn't tell how secure etc. everything is
• And time. I know, everybody could say the same, I don't have time for this, but what I actually mean is that I probably have like one week every few months/half years. And I mean that as I say it, not the week divided on the months. Therefore bug fixes could take for ever and we'd have a similar issue as with the deprecated webhook. And, of course, I don't think it's a good idea for me to release a piece of software that has an important job like working with certificates, while not even knowing if what i produced is safe.

So, rfc2136 would be the ideal solution, but as it's a lot of work to implement a webhook could be something to be able to use cert-manager already before that is done. And when rfc2136 support is done the webhook could be made deprecated.

[peterthomassen]

I agree this would be very cool to have, but unfortunately there's not much K8s and Go expertise here. I think we'll have to leave this to the community to provide. If you could recruit somebody to do it, I think that would be great!

[peterthomassen]

... forgot to mention, there's a deSEC library for Go (not maintained by us): https://pkg.go.dev/github.com/nrdcg/desec Perhaps that's useful in moving this forward.

[MrRulf]

I'll look if I can find somebody and/or if I could try it by myself, but I don't wanna make any promises here, as I already explaind the issues I see earlier.

[mnlipp]

As an immediate measure, the reference to the webhook app on page https://github.com/desec-io/desec-stack/blob/main/docs/integrations/lets-encrypt.rst (currently https://github.com/kmorning/cert-manager-webhook-desec) should be changed and link to https://github.com/irreleph4nt/cert-manager-webhook-desec-http.

The former is outdated and its author itself considers using the latter. Using the outdated link from the deSEC page cost me considerable time.

[peterthomassen]

Sure. Please file a PR for the docs change and we can merge it momentarily.

[mnlipp]

Really? A PR for changing a single link? That's ridiculous. Someone with access to master can fix this in 15 seconds.

[peterthomassen]

Except that main is set up such that all changes require a PR.

This is an open source project with no paid staff. I'm not sure why you're assuming that others should spend time doing something you could do. It would not take much longer than commenting twice, especially when using the GUI. 🤷

[mnlipp]

Well, I simply didn't know that you yourself need a PR to change our own code. I setup my projects differently as it clearly makes no sense to review my own PRs.