Using cert-manager to Issue Free Certificate for DNSPod Domain Name

Last updated: 2021-12-03 16:13:23

Overview

If you use DNSPod to manage your domain names and want to automatically issue free certificates for domain names in Kubernetes, you can use cert-manager to this end:

cert-manager supports many DNS providers but not DNSPod. However, it offers a webhook to support more providers, and support for DNSPod is also implemented in the community. This document describes how to use cert-manager and cert-manager-webhook-dnspod to automatically issue free certificates for domain names in DNSPod.

Basic Knowledge

We recommend you read Using cert-manager to Issue Free Certificates first.

Directions

1. Create a DNSPod key

Log in to the DNSPod console. In Key Management, create a key and copy the automatically generated ID and Token

2. Install cert-manager

Install cert-manager. For more information, please see Using cert-manager to Issue Free Certificates.

3. Install cert-manager-webhook-dnspod

Use HELM to install cert-manager-webhook-dnspod. You need to prepare the HELM configuration file.
Below is a sample dnspod-webhook-values.yaml:

groupName: example.your.domain # Enter a custom group name

secrets: # Paste the generated ID and token below
apiID: "<id>"
apiToken: "<token>"

clusterIssuer:
enabled: true # Automatically create a ClusterIssuer
email: your@email.com # Enter your email address

For the complete configuration, please see values.yaml.

Use HELM for installation:

git clone --depth 1 https://github.com/qqshfox/cert-manager-webhook-dnspod.git
helm upgrade --install -n cert-manager -f dnspod-webhook-values.yaml cert-manager-webhook-dnspod ./cert-manager-webhook-dnspod/deploy/cert-manager-webhook-dnspod

4. Create a certificate

Use the following YAML file to create a Certificate object to issue a free certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com-crt
namespace: istio-system
spec:
secretName: example-com-crt-secret # The certificate is stored in this secret
issuerRef:
name: cert-manager-webhook-dnspod-cluster-issuer # The automatically generated ClusterIssuer is used here
kind: ClusterIssuer
group: cert-manager.io
dnsNames: # Enter the list of domain names for which to issue certificates. Ensure that all the domain names are managed by DNSPod
- example.com
- test.example.com

If the status becomes READY, the certificate is successfully issued:

$ kubectl -n istio-system get certificates.cert-manager.io
NAME READY SECRET AGE
example-com-crt True example-com-crt-secret 25d

If the issuance fails, you can run describe to view the cause:

kubectl -n istio-system describe certificates.cert-manager.io example-com-crt

5. Use the certificate

After the certificate is successfully issued, it will be stored in the specified Secret as follows:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: test.example.com
http:
paths:
- path: /
backend:
serviceName: web
servicePort: 80
tls:
hosts:
- test.example.com
secretName: example-com-crt-secret # Reference the certificate secret