--- apiVersion: v1 kind: ServiceAccount metadata: name: alidns-webhook namespace: cert-manager labels: app: alidns-webhook --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: alidns-webhook namespace: cert-manager labels: app: alidns-webhook rules: - apiGroups: - '' resources: - 'secrets' verbs: - 'get' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: alidns-webhook:flowcontrol-solver labels: app: alidns-webhook rules: - apiGroups: - "flowcontrol.apiserver.k8s.io" resources: - 'prioritylevelconfigurations' - 'flowschemas' verbs: - 'list' - 'watch' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: alidns-webhook:flowcontrol-solver labels: app: alidns-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: alidns-webhook:flowcontrol-solver subjects: - apiGroup: "" kind: ServiceAccount name: alidns-webhook namespace: cert-manager --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: alidns-webhook namespace: cert-manager labels: app: alidns-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: alidns-webhook subjects: - apiGroup: "" kind: ServiceAccount name: alidns-webhook namespace: cert-manager --- # Grant the webhook permission to read the ConfigMap containing the Kubernetes # apiserver's requestheader-ca-certificate. # This ConfigMap is automatically created by the Kubernetes apiserver. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: alidns-webhook:webhook-authentication-reader namespace: kube-system labels: app: alidns-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - apiGroup: "" kind: ServiceAccount name: alidns-webhook namespace: cert-manager --- # apiserver gets the auth-delegator role to delegate auth decisions to # the core apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: alidns-webhook:auth-delegator namespace: cert-manager labels: app: alidns-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - apiGroup: "" kind: ServiceAccount name: alidns-webhook namespace: cert-manager --- # Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: alidns-webhook:domain-solver labels: app: alidns-webhook rules: - apiGroups: - acme.yourcompany.com resources: - '*' verbs: - 'create' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: alidns-webhook:domain-solver labels: app: alidns-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: alidns-webhook:domain-solver subjects: - apiGroup: "" kind: ServiceAccount name: cert-manager namespace: cert-manager --- # Source: alidns-webhook/templates/service.yaml apiVersion: v1 kind: Service metadata: name: alidns-webhook namespace: cert-manager labels: app: alidns-webhook spec: type: ClusterIP ports: - port: 443 targetPort: https protocol: TCP name: https selector: app: alidns-webhook --- # Source: alidns-webhook/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: alidns-webhook namespace: cert-manager labels: app: alidns-webhook spec: replicas: selector: matchLabels: app: alidns-webhook template: metadata: labels: app: alidns-webhook spec: serviceAccountName: alidns-webhook containers: - name: alidns-webhook image: scjtqs/alidns-webhook:0.1.2 imagePullPolicy: IfNotPresent args: - --tls-cert-file=/tls/tls.crt - --tls-private-key-file=/tls/tls.key env: - name: GROUP_NAME value: "acme.yourcompany.com" ports: - name: https containerPort: 443 protocol: TCP livenessProbe: httpGet: scheme: HTTPS path: /healthz port: https readinessProbe: httpGet: scheme: HTTPS path: /healthz port: https volumeMounts: - name: certs mountPath: /tls readOnly: true resources: {} volumes: - name: certs secret: secretName: alidns-webhook-webhook-tls --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.acme.yourcompany.com labels: app: alidns-webhook annotations: cert-manager.io/inject-ca-from: "cert-manager/alidns-webhook-webhook-tls" spec: group: acme.yourcompany.com groupPriorityMinimum: 1000 versionPriority: 15 service: name: alidns-webhook namespace: cert-manager version: v1alpha1 --- # Create a selfsigned Issuer, in order to create a root CA certificate for # signing webhook serving certificates apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: alidns-webhook-selfsign namespace: cert-manager labels: app: alidns-webhook spec: selfSigned: {} --- # Generate a CA Certificate used to sign certificates for the webhook apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: alidns-webhook-ca namespace: cert-manager labels: app: alidns-webhook spec: secretName: alidns-webhook-ca duration: 43800h # 5y issuerRef: name: alidns-webhook-selfsign commonName: "ca.alidns-webhook.cert-manager" isCA: true --- # Create an Issuer that uses the above generated CA certificate to issue certs apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: alidns-webhook-ca namespace: cert-manager labels: app: alidns-webhook spec: ca: secretName: alidns-webhook-ca --- # Finally, generate a serving certificate for the webhook to use apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: alidns-webhook-webhook-tls namespace: cert-manager labels: app: alidns-webhook spec: secretName: alidns-webhook-webhook-tls duration: 8760h # 1y issuerRef: name: alidns-webhook-ca dnsNames: - alidns-webhook - alidns-webhook.cert-manager - alidns-webhook.cert-manager.svc - alidns-webhook.cert-manager.svc.cluster.local --- apiVersion: v1 kind: Secret metadata: name: alidns-secret namespace: cert-manager data: access-key: YOUR_ACCESS_KEY secret-key: YOUR_SECRET_KEY --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: alidns spec: acme: # Change to your letsencrypt email email: certmaster@example.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: alidns-account-key solvers: - dns01: webhook: groupName: acme.yourcompany.com solverName: alidns config: region: "" accessKeySecretRef: name: alidns-secret key: access-key secretKeySecretRef: name: alidns-secret key: secret-key