c4bb8d91b5
After testing the suggested policy both with the AWS policy simulator and by using it with cert-manager I have found that the ARN prefix in the resources included in the statement cause the provider to fail with an access denied error. This new policy is equivalent and valid according to the AWS policy simulator.
129 lines
3.3 KiB
ReStructuredText
129 lines
3.3 KiB
ReStructuredText
========================
|
|
DNS01 Challenge Provider
|
|
========================
|
|
|
|
The ACME issuer can also contain DNS provider configuration, which can be used
|
|
by Certificates using this Issuer in order to validate DNS01 challenge
|
|
requests:
|
|
|
|
.. code-block:: yaml
|
|
:linenos:
|
|
:emphasize-lines: 7
|
|
|
|
apiVersion: certmanager.k8s.io
|
|
kind: Issuer
|
|
metadata:
|
|
name: example-issuer
|
|
spec:
|
|
acme:
|
|
email: user@example.com
|
|
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
|
privateKeySecretRef:
|
|
name: example-issuer-account-key
|
|
dns01:
|
|
providers:
|
|
- name: prod-clouddns
|
|
clouddns:
|
|
serviceAccountSecretRef:
|
|
name: prod-clouddns-svc-acct-secret
|
|
key: service-account.json
|
|
|
|
Each issuer can specify multiple different DNS01 challenge providers, and
|
|
it is also possible to have multiple instances of the same DNS provider on a
|
|
single Issuer (e.g. two clouddns accounts could be set, each with their own
|
|
name).
|
|
|
|
.. _supported-dns01-providers:
|
|
|
|
*************************
|
|
Supported DNS01 providers
|
|
*************************
|
|
|
|
A number of different DNS providers are supported for the ACME issuer. Below is
|
|
a listing of them all, with an example block of configuration:
|
|
|
|
Google CloudDNS
|
|
===============
|
|
|
|
.. code-block:: yaml
|
|
|
|
clouddns:
|
|
serviceAccountSecretRef:
|
|
name: prod-clouddns-svc-acct-secret
|
|
key: service-account.json
|
|
|
|
Amazon Route53
|
|
==============
|
|
|
|
.. code-block:: yaml
|
|
|
|
route53:
|
|
region: eu-west-1
|
|
|
|
# optional if ambient credentials are available; see ambient credentials documentation
|
|
accessKeyID: AKIAIOSFODNN7EXAMPLE
|
|
secretAccessKeySecretRef:
|
|
name: prod-route53-credentials-secret
|
|
key: secret-access-key
|
|
|
|
Cert-manager requires the following IAM policy.
|
|
|
|
.. code-block:: json
|
|
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "route53:GetChange",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "route53:ChangeResourceRecordSets",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "route53:ListHostedZonesByName",
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
|
|
The ``route53:ListHostedZonesByName`` statement can be removed if you specify
|
|
the optional hosted zone ID (``spec.acme.dns01.providers[].hostedZoneID``) on
|
|
the Issuer resource. You can further tighten this policy by limiting the hosted
|
|
zone that cert-manager has access to (replace ``arn:aws:route53:::hostedzone/*``
|
|
with ``arn:aws:route53:::hostedzone/DIKER8JPL21PSA``, for instance).
|
|
|
|
Cloudflare
|
|
==========
|
|
|
|
.. code-block:: yaml
|
|
|
|
cloudflare:
|
|
email: my-cloudflare-acc@example.com
|
|
apiKeySecretRef:
|
|
name: cloudflare-api-key-secret
|
|
key: api-key
|
|
|
|
Akamai FastDNS
|
|
==============
|
|
|
|
.. code-block:: yaml
|
|
|
|
akamai:
|
|
serviceConsumerDomain: akab-tho6xie2aiteip8p-poith5aej0ughaba.luna.akamaiapis.net
|
|
clientTokenSecretRef:
|
|
name: akamai-dns
|
|
key: clientToken
|
|
clientSecretSecretRef:
|
|
name: akamai-dns
|
|
key: clientSecret
|
|
accessTokenSecretRef:
|
|
name: akamai-dns
|
|
key: accessToken
|
|
|
|
.. _`Let's Encrypt`: https://letsencrypt.org
|