Add letsencrypt clusterissuers + hetzner webhook + reflector + auto wildcard cert generation #1332
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add LetsEncrypt ClusterIssuers + Hetzner webhook + Reflector + auto wildcard cert generation
This PR adds LetsEncrypt ClusterIssuers Helm Chart installation so that the cluster is set up and ready to generate TLS certs by passing both
HTTP-01
andDNS-01
ACME challenges. While the former requires no additional dependencies apart from the ClusterIssuer itself, the latter requires the Hetzner API Webhook for the Cert Manager, which is also installed and set up by another Helm Chart included incluster_issuers.yaml.tpl
.I've created new
var.hetzner_dns_api_token
to set up Hetzner DNS API Token in there (Hetzner delegated DNS Zone is a must for this to work), and that variable is then encoded and passed on tocluster_issuers.yaml.tpl
to generatehetzner-dns-secret
, which the webhook uses to pass the challenge.Finally, I've included a
wildcard_cert.yaml.tpl
which triggers auto wildcard cert secret generation usingcommon_name
, a template variable obtained from regexing thevar.base_domain
FQDN to obtain the root domain and request*.example.com
, and flagged Reflector annotations for the secret. Reflector is a little utility that replicates annotated secrets in all or specifically selected namespaces. This is especially useful for TLS certs since they are often needed in more than one namespace. Both the ClusterIssuers and the Reflector installation are obviously flagged throughvar.enable_cluster_issuers
andvar.enable_reflector
and disabled by default.How to test
Assuming your DNS Zone is delegated to Hetzner:
var.enable_cluster_issuers
andvar.enable_reflector
totrue
var.base_domain
is duly populated within a valid FQDN and point its A record to your server (for single-node clusters) or cloud load balancer if you are using onevar.hetzner_dns_api_token
tofu apply
orterraform apply
to create your clusterIf everything is correct, whenever your cluster is ready you should see both ClusterIssuers (prod and staging) up and running.
kubectl get clusterissuers -n cert-manager --kubeconfig k3s_kubeconfig.yaml
kubectl get certs -n cert-manager --kubeconfig k3s_kubeconfig.yaml
kubectl describe certs/wildcard-domain -n cert-manager --kubeconfig k3s_kubeconfig.yaml
kubectl get secrets --all-namespaces --kubeconfig k3s_kubeconfig.yaml
Caveats
If no Hetzner DNS Zone API Token is set or it is wrong, LetsEncrypt ClusterIssuers will still be properly installed and you will be able to pass
http-01
challenges to generate FQDN domains butdns-01
challenge will fail and no wildcard cert will be generated. Same applies if your DNS Zone is not delegated to Hetzner.You can disable Reflector if you don't need secret replication and it will only affect that, ClusterIssuers will still work as intended.
Bear in mind that
dns-01
challenge needs to insert and propagate a record in the DNS Zone, so it can take up to 5 minutes to properly validate the wildcard cert. Everything is going as intended as long as the challenge logs do not return any errors.Att: Repo maintainers: Please feel free to modify, comment, suggest, whatever you wish to do with this PR. Everything will be most welcome ;)