Let's Encrypt Certificates in OpenShift via ACME Webhook using Hetzner DNS

Very useful HelmChart for my lab environment(s) on Hetzner. https://github.com/vadimkim/cert-manager-webhook-hetzner

Fairly easy to rollout, just follow the docs from the repo and keep an eye for open issues and PRs on the repo, they’ve proven to be describing and also containing solutions to the issues I ran into.

So, assuming the webhook is running, just the small snippets for my hetzner lab:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: <mymail>
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          config:
            apiUrl: https://dns.hetzner.com/api/v1
            secretName: hetzner-dns
            zoneName: out-of-my-head.de
          groupName: ocp4.out-of-my-head.de
          solverName: hetzner

The secret that’s referenced:

apiVersion: v1
kind: Secret
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
type: Opaque
data:
  api-key: one-of-my-hetzner-dns-api-keys

Certificates, typical use case for my lab is OCP API cert as well as wildcard cert for the ingress:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: api
  namespace: openshift-config
spec:
  commonName: api.ocp4.out-of-my-head.de
  dnsNames:
    - api.ocp4.out-of-my-head.de
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  secretName: le-api-cert

Once the secret exists, let’s change the config for the API:

apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  audit:
    profile: Default
  servingCerts:
    namedCertificates:
    - names:
      - api.ocp4.out-of-my-head.de
      servingCertificate:
        name: le-api-cert

Same for ingress now:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ingress
  namespace: openshift-ingress
spec:
  commonName: apps.ocp4.out-of-my-head.de
  dnsNames:
  - apps.ocp4.out-of-my-head.de
  - '*.apps.ocp4.out-of-my-head.de'
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  secretName: le-ingress-cert

Let’s change the ingresscontroller to present the cert:

apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operator
spec:
  ...
  defaultCertificate:
    name: le-ingress-cert
  ...

No more certificate expiry I have to monitor \o/

Let’s Encrypt Certificates in OpenShift via ACME Webhook using Hetzner DNS