Cert-manager automates the management and issuance of TLS certificates in Kubernetes clusters. It ensures that certificates are valid and updates them when necessary.
A certificate authority resource, such as ClusterIssuer, must be declared in the cluster to start the certificate issuance procedure. It is used to generate signed certificates by honoring certificate signing requests.
For some DNS providers, there are no predefined CusterIssuer resources. Fortunately, cert-manager allows you to write your own webhook.
This solver allows you to use cert-manager with the Nicru API. Documentation on the Nicru API is available here.
First, you must register the application in your personal Nicru account.
After registering, you will receive the app_id
and app_secret
of the OAuth 2.0 protocol, which are needed to get the tokens.
Then you must get 2 tokens: the first token to work with the API, the second token to reissue tokens. You have to run this command to get them:
curl --location --request POST 'https://api.nic.ru/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'password=<YOUR_PASSWORD_FOR_PERSONAL_ACCOUNT>' \
--data-urlencode 'client_id=<YOUR_APP_ID>' \
--data-urlencode 'client_secret=<YOUR_APP_SECRET>' \
--data-urlencode 'username=<YOUR_LOGIN_FOR_PERSONAL_ACCOUNT>' \
--data-urlencode 'scope=.*' \
--data-urlencode 'offline=999999'
You will get an answer
{"refresh_token":"<REFRESH_TOKEN>","expires_in":14400,"access_token":"<ACCESS_TOKEN>","token_type":"Bearer"}
ATTENTION! You should not delete the cert-manager if you are already using it.
Use the following command from the official documentation to install cert-manager in your Kubernetes cluster:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/VERSION/cert-manager.yaml
- where
VERSION
is necessary version (for example, v1.10.1 )
NOTE: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
git clone https://github.com/flant/cert-manager-webhook-nicru.git
You must also specify your namespace with the cert-manager
.
certManager:
namespace: your-cert-manager-namespace
serviceAccountName: cert-manager
Create the nicru-tokens.yaml
file with the following content:
apiVersion: v1
kind: Secret
metadata:
name: nicru-tokens
namespace: your-cert-manager-namespace
data:
REFRESH_TOKEN: <REFRESH_TOKEN_BASE64_FORMAT>
ACCESS_TOKEN: <ACCESS_TOKEN_BASE64_FORMAT>
APP_ID: <APP_ID>
APP_SECRET: <APP_SECRET>
type: Opaque
Next, run the following commands for the install webhook.
cd cert-manager-webhook-nicru
helm install -n my-namespace-cert-manager nicru-webhook ./helm
Create the certificate.yaml
file with the following contents:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: changeme
namespace: changeme
spec:
secretName: changeme
issuerRef:
name: nicru-dns
kind: ClusterIssuer
dnsNames:
- *.my-domain-test.ru
Error presenting challenge: the server is currently unable to handle the request (post nicru-dns.acme.nic.ru)
This error may indicate that there is a failure to communicate with APIService v1alpha1.acme.nic.ru. In this case, insecureSkipTLSVerify: true
parameter in apiservice.yaml may help.
Please feel free to contact us if you have any questions.
You're also welcome to follow @flant_com to stay informed about all our Open Source initiatives.
Apache License 2.0, see LICENSE.