Facilitate a webhook integration for leveraging the STACKIT DNS alongside its API to act as a DNS01 ACME Issuer with cert-manager.

helm repo add stackit-cert-manager-webhook https://stackitcloud.github.io/stackit-cert-manager-webhook helm install stackit-cert-manager-webhook --namespace cert-manager stackit-cert-manager-webhook/stackit-cert-manager-webhook

1. Initiation of STACKIT Service Account Secret:

   kubectl create secret generic stackit-sa-authentication \ -n cert-manager \ --from-literal=sa.json='{ "id": "4e1fe486-b463-4bcd-9210-288854268e34", "publicKey": "-----BEGIN PUBLIC KEY-----\nPUBLIC_KEY\n-----END PUBLIC KEY-----", "createdAt": "2024-04-02T13:12:17.678+00:00", "validUntil": "2024-04-15T22:00:00.000+00:00", "keyType": "USER_MANAGED", "keyOrigin": "GENERATED", "keyAlgorithm": "RSA_2048", "active": true, "credentials":{ "kid": "kid", "iss": "iss", "sub": "sub", "aud": "aud", "privateKey": "-----BEGIN PRIVATE KEY-----\nPRIVATE-KEY==\n-----END PRIVATE KEY-----" }}'

   You now need to adjust the deployment via helm to use the secret:

   helm upgrade stackit-cert-manager-webhook \ --namespace cert-manager \ stackit-cert-manager-webhook/stackit-cert-manager-webhook \ --set stackitSaAuthentication.enabled=true

2. Configuration of ClusterIssuer/Issuer:
   For scenarios wherein zones and record sets are encapsulated within a singular project, utilize a ClusterIssuer:

   apiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: name: letsencrypt-prodspec: acme: server: https://acme-v02.api.letsencrypt.org/directoryemail: [email protected]# Replace this with your email addressprivateKeySecretRef: name: letsencrypt-prodsolvers: - dns01: webhook: solverName: stackitgroupName: acme.stackit.deconfig: projectId: <STACKIT PROJECT ID>

   For diverse project architectures where zones are spread across varying projects, use an Issuer (namespaces are separate):

   apiVersion: cert-manager.io/v1kind: Issuermetadata: name: letsencrypt-prodnamespace: defaultspec: acme: server: https://acme-v02.api.letsencrypt.org/directoryemail: [email protected]# Replace this with your email addressprivateKeySecretRef: name: letsencrypt-prodsolvers: - dns01: webhook: solverName: stackitgroupName: acme.stackit.deconfig: projectId: <STACKIT PROJECT ID>

   Note on service accounts and namespaces:

   • Issuer-per-namespace (recommended for isolation): create a STACKIT service-account key (sa.json) for each STACKIT project you need to manage and place that key in a Kubernetes Secret in the same namespace as the Issuer. This means one sa.json (one SA key) per Issuer/namespace when the Issuers target different STACKIT projects. Example (create a secret in the Issuer namespace):

     kubectl create secret generic stackit-sa-authentication \ -n <issuer-namespace> \ --from-literal=sa.json='{"id":"...","credentials":{...}}'

     Ensure the webhook can read the secret in that namespace (create the secret where the Issuer lives).
   • Alternative (single SA key for multiple projects): you can grant the service account broader permissions at folder or organization level so one sa.json can manage zones across multiple projects. This is more convenient but grants wider access — evaluate security and follow least-privilege principles.
   • Tradeoffs:
     • Per-namespace/per-project SA keys: better isolation and least privilege, easier to rotate keys per project.
     • Folder/org-level SA key: lower operational overhead (single key), but larger blast radius if compromised.

3. Demonstration of Ingress Integration with Wildcard SSL/TLS Certificate Generation
   Given the preceding configuration, it is possible to exploit the capabilities of the Issuer or ClusterIssuer to dynamically produce wildcard SSL/TLS certificates in the following manner:

   apiVersion: cert-manager.io/v1kind: Certificatemetadata: name: wildcard-examplenamespace: defaultspec: secretName: wildcard-example-tlsissuerRef: name: letsencrypt-prodkind: IssuercommonName: '*.example.runs.onstackit.cloud'# project must be the owner of this zoneduration: 8760h0m0sdnsNames: - example.runs.onstackit.cloud - '*.example.runs.onstackit.cloud' --- apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: app-ingressnamespace: defaultannotations: ingress.kubernetes.io/rewrite-target: /kubernetes.io/ingress.class: "nginx"spec: rules: - host: "app.example.runs.onstackit.cloud"http: paths: - path: /pathType: Prefixbackend: service: name: webappport: number: 80tls: - hosts: - "app.example.runs.onstackit.cloud"secretName: wildcard-example-tls

The following table delineates the configuration options available for the STACKIT Cert Manager Webhook:

apiVersion: cert-manager.io/v1kind: Issuermetadata: name: letsencrypt-prodnamespace: defaultspec: acme: server: https://acme-v02.api.letsencrypt.org/directoryemail: [email protected]# Replace this with your email addressprivateKeySecretRef: name: letsencrypt-prodsolvers: - dns01: webhook: solverName: stackitgroupName: acme.stackit.deconfig: projectId: stringapiBasePath: stringserviceAccountKeyPath: stringserviceAccountBaseUrl: stringacmeTxtRecordTTL: int64

• projectId: The unique identifier for the STACKIT project.
• apiBasePath: The base path for the STACKIT DNS API. (Default: https://dns.api.stackit.cloud)
• serviceAccountKeyPath: The path to the service account key file. The file must be mounted into the container.
• serviceAccountBaseUrl: The base URL for the STACKIT service account API. (Default: https://service-account.api.stackit.cloud/token)
• acmeTxtRecordTTL: The TTL for the ACME TXT record. (Default: 600)

• Unit Testing:

  make test

• Unit Testing with Coverage Analysis:

  make coverage

• Linting:

  make lint

• End-to-End Testing Workflow:
  Follow the comprehensive guide available here.

Our release pipeline leverages goreleaser for the generation and publishing of release assets. This sophisticated approach ensures the streamlined delivery of:

• Pre-compiled binaries tailored for various platforms.
• Docker images optimized for production readiness.

However, one should be cognizant of the fact that goreleaser doesn't inherently support Helm chart distributions as part of its conventional workflow. Historically, the incorporation of Helm charts into our releases demanded manual intervention. Post the foundational release generation via goreleaser, the Helm chart was affixed as an asset through manual processes.
For those interested in the Helm chart creation mechanics, the process was facilitated via the command:

helm package deploy/stackit

To release a new version of the Helm chart, one must meticulously update the appVersion and (chart)version delineation in the Chart.yaml. Post this modification, initiate a new release to encompass these changes.