Skip to content

Dns01 ovh #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ggtrd wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Dns01 ovh #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
09928c1
add OVH support for cert-manager DNS01 challenge
ggtrd Mar 31, 2026
f83037a
fix chart cert-manager-webhook-ovh
ggtrd Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions modules/chart_cert_manager/kube_objects/clusterissuer.dns01.webhook.ovh.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ${certificate_email}
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
webhook:
groupName: $group_name
solverName: ovh
config:
endpoint: ovh-eu
applicationKey: $application_key
applicationSecretRef:
key: applicationSecret
name: dns-challenge
consumerKey: $consumer_key
podTemplate:
metadata:
labels:
networking/traffic-allowed: "yes"
spec:
tolerations:
- key: "vendor"
operator: "Equal"
value: "cosmotech"
effect: "NoSchedule"
nodeSelector:
"cosmotech.com/tier": "services"
101 changes: 87 additions & 14 deletions modules/chart_cert_manager/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ resource "time_sleep" "wait_certmanager_crds" {
}


# 1. CERT-MANAGER
data "template_file" "cert_values" {
template = file("${path.module}/values.yaml")
# 1-0. CERT-MANAGER
data "template_file" "chart_values_cert_manager" {
template = file("${path.module}/values-cert_manager.yaml")
vars = {
service_annotations = yamlencode(var.service_annotations)
}
Expand All @@ -34,13 +34,43 @@ resource "helm_release" "cert_manager" {
create_namespace = true

values = [
data.template_file.cert_values.rendered
data.template_file.chart_values_cert_manager.rendered
]
}


# 1-1. (SITUATIONAL) CERT-MANAGER ADDITIONAL CONFIG FOR SPECIFICS PROVIDERS
# - OVH: install Helm Chart cert-manager-webhooks-ovh
data "template_file" "chart_values_webhook_ovh" {
count = (var.cloud_provider == "kob" && var.dns_challenge_provider == "ovh") ? 1 : 0

template = file("${path.module}/values-cert_manager_webhook_ovh.yaml")
vars = {
group_name = kubernetes_secret.dns_challenge[0].data["groupName"]
certificate_email = var.certificate_email
}
}

resource "helm_release" "cert_manager_webhook_ovh" {
count = (var.cloud_provider == "kob" && var.dns_challenge_provider == "ovh") ? 1 : 0

name = "cert-manager-webhook-ovh"
repository = "https://aureq.github.io/cert-manager-webhook-ovh/"
chart = "cert-manager-webhook-ovh"
version = "0.9.5"
namespace = "cert-manager"
create_namespace = true

values = [
data.template_file.chart_values_webhook_ovh[0].rendered
]

depends_on = [helm_release.cert_manager]
}


# 2. (MAIN) CLUSTER ISSUER HTTP-01
# HTTP-01 challenges : https://cert-manager.io/docs/configuration/acme/http01/
# HTTP-01 challenges : https://cert-manager.io/docs/configuration/acme/http01
data "template_file" "clusterissuer_prod_http01" {
count = var.cloud_provider == "kob" ? 0 : 1

Expand All @@ -62,11 +92,20 @@ resource "kubectl_manifest" "letsencrypt_prod_http01" {


# 2. (BIS) CLUSTER ISSUER DNS-01
# DNS-01 challenges : https://cert-manager.io/docs/configuration/acme/dns01/2
# DNS-01 challenges : https://cert-manager.io/docs/configuration/acme/dns01
#
# Trick here is to duplicate the dns-challenge secret from terraform-onprem from default namespace to cert-manager namespace
# cert-manager requires to have this secret in its namespace.
# This is to avoid creating namespace cert-manager in terraform-onprem
#
# Workflow is:
# -> [terraform-onprem] create DNS01 challenge requirements (examples: API keys, Azure App registration etc...)
# -> [terraform-onprem] create a secret in default/dns-challenge-terraform-onprem which contains the needed values to run a DNS01 challenge with the given provider
# -> [terraform-shared] create the cert-manager namespace
# -> [terraform-shared] copy the secret default/dns-challenge-terraform-onprem to cert-manager/default/dns-challenge
# -> [terraform-shared] optionnally install custom webhooks
# -> [terraform-shared] create ClusterIssuer with specifics provider values stored in the cert-manager/default/dns-challenge
# -> [terraform-shared] run cert-manager to get a certificate
data "kubernetes_secret" "dns_challenge_terraform_onprem" {
metadata {
name = "dns-challenge-terraform-onprem"
Expand All @@ -87,6 +126,7 @@ resource "kubernetes_secret" "dns_challenge" {
type = "Opaque"
}

# ------ AZURE DNS ------
data "template_file" "clusterissuer_prod_dns01_azuredns" {
count = (var.cloud_provider == "kob" && var.dns_challenge_provider == "azure") ? 1 : 0

Expand All @@ -102,14 +142,40 @@ data "template_file" "clusterissuer_prod_dns01_azuredns" {
}

resource "kubectl_manifest" "letsencrypt_prod_dns01_azuredns" {
count = var.cloud_provider == "kob" ? 1 : 0
count = (var.cloud_provider == "kob" && var.dns_challenge_provider == "azure") ? 1 : 0

yaml_body = data.template_file.clusterissuer_prod_dns01_azuredns[0].rendered

depends_on = [
helm_release.cert_manager
]
}
# ------ AZURE DNS ------

# ------ WEBHOOK OVH ------
data "template_file" "clusterissuer_prod_dns01_webhook_ovh" {
count = (var.cloud_provider == "kob" && var.dns_challenge_provider == "ovh") ? 1 : 0

template = file("${path.module}/kube_objects/clusterissuer.dns01.webhook.ovh.yaml")
vars = {
certificate_email = var.certificate_email
group_name = kubernetes_secret.dns_challenge[0].data["groupName"]
application_key = kubernetes_secret.dns_challenge[0].data["applicationKey"]
application_secret = kubernetes_secret.dns_challenge[0].data["applicationSecret"]
consumer_key = kubernetes_secret.dns_challenge[0].data["consumerKey"]
}
}

resource "kubectl_manifest" "letsencrypt_prod_dns01_webhook_ovh" {
count = (var.cloud_provider == "kob" && var.dns_challenge_provider == "ovh") ? 1 : 0

yaml_body = data.template_file.clusterissuer_prod_dns01_webhook_ovh[0].rendered

depends_on = [
helm_release.cert_manager
]
}
# ------ WEBHOOK OVH ------


# 3. CERTIFICATE
Expand All @@ -120,22 +186,29 @@ data "template_file" "certificate" {
}
}

# depends on HTTP01
resource "kubectl_manifest" "certificate" {
count = var.cloud_provider == "kob" ? 0 : 1

yaml_body = data.template_file.certificate.rendered

depends_on = [
kubectl_manifest.letsencrypt_prod_http01[0]
]
depends_on = [kubectl_manifest.letsencrypt_prod_http01[0]]
}

# depends on DNS01 AzureDNS
resource "kubectl_manifest" "certificate_dns01_azuredns" {
count = var.cloud_provider == "kob" ? 1 : 0
count = (var.cloud_provider == "kob" && var.dns_challenge_provider == "azure") ? 1 : 0

yaml_body = data.template_file.certificate.rendered

depends_on = [
kubectl_manifest.letsencrypt_prod_dns01_azuredns[0]
]
depends_on = [kubectl_manifest.letsencrypt_prod_dns01_azuredns[0]]
}

# depends on DNS01 Webhook OVH
resource "kubectl_manifest" "certificate_dns01_webhook_ovh" {
count = (var.cloud_provider == "kob" && var.dns_challenge_provider == "ovh") ? 1 : 0

yaml_body = data.template_file.certificate.rendered

depends_on = [kubectl_manifest.letsencrypt_prod_dns01_webhook_ovh[0]]
}
0 modules/chart_cert_manager/values.yaml → ...art_cert_manager/values-cert_manager.yaml
View file
Open in desktop
File renamed without changes.
32 changes: 32 additions & 0 deletions modules/chart_cert_manager/values-cert_manager_webhook_ovh.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# https://github.com/aureq/cert-manager-webhook-ovh/blob/main/charts/cert-manager-webhook-ovh/values.yaml
groupName: ${group_name}
certManager:
namespace: cert-manager
serviceAccountName: cert-manager
issuers:
- name: letsencrypt-prod
create: false
kind: ClusterIssuer
acmeServerUrl: https://acme-v02.api.letsencrypt.org/directory
email: ${certificate_email}
ovhEndpointName: ovh-eu
ovhAuthenticationMethod: application
ovhAuthenticationRef:
applicationKeyRef:
name: dns-challenge
key: applicationKey
applicationSecretRef:
name: dns-challenge
key: applicationSecret

# podLabels:
# networking/traffic-allowed: "yes"
# nodeSelector:
# cosmotech.com/tier: services
# resources:
# requests:
# cpu: 100m
# memory: 128Mi
# limits:
# cpu: 500m
# memory: 512Mi
11 changes: 6 additions & 5 deletions terraform.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,13 @@


# ## VARIABLES EXAMPLE FOR KOB (= On-Premise)
# cloud_provider = "kob"
# cluster_region = ""
# cluster_name = "kob-dev-devops"
# domain_zone = "onpremise.platform.cosmotech.com"
# cloud_provider = "kob"
# cluster_region = ""
# cluster_name = "kob-dev-devops"
# domain_zone = "onpremise.platform.cosmotech.com"
# state_host = "https://cosmotechstates.onpremise.platform.cosmotech.com"
# # DNS01 challenge provider can be "azure", "ovh"
# dns_challenge_provider = "azure"
# state_host = "https://cosmotechstates.onpremise.platform.cosmotech.com"


## COMMON VARIABLES EXAMPLE
Expand Down