Cert-Manager ACME DNS01 Webhook Solver for Linode DNS Manager

A webhook to use Linode DNS Manager as a DNS01 ACME Issuer for cert-manager.

Installation

helm install cert-manager-webhook-linode \
  --namespace cert-manager \
  https://github.com/linode/cert-manager-webhook-linode/releases/download/v0.4.1/cert-manager-webhook-linode-v0.4.1.tgz

Usage

Create Linode API Token Secret

kubectl create secret generic linode-credentials \
  --namespace=cert-manager \
  --from-literal=token=<LINODE TOKEN>

Create Issuer

Cluster-wide Linode API Token

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: example@example.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
      webhook:
        solverName: linode
        groupName: acme.slicen.me

By default, the Linode API token used will be obtained from the linode-credentials Secret in the same namespace as the webhook.

Per Namespace Linode API Tokens

If you would prefer to use separate Linode API tokens for each namespace (e.g. in a multi-tenant environment):

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: example@example.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
      webhook:
        solverName: linode
        groupName: acme.slicen.me
        config:
          apiKeySecretRef:
            name: linode-credentials
            key: token

Delegated Subdomain Zones

This webhook supports delegated subdomain zones. When you request a certificate for a domain, the webhook will automatically find the longest matching zone in your Linode DNS Manager.

For example, if you have the following zones configured:

• example.com
• team.example.com
• to.example.com

The webhook will correctly handle certificates for:

• www.example.com → uses zone example.com
• www.team.example.com → uses zone team.example.com
• www.to.example.com → uses zone to.example.com
• team.to.example.com → uses zone to.example.com (cross-zone domain)
• to.team.example.com → uses zone team.example.com (cross-zone domain)

This is particularly useful when you have delegated DNS management for specific subdomains to different zones in Linode DNS Manager.

Development

Running the test suite

Conformance testing is achieved through Kubernetes emulation via the kubebuilder-tools suite, in conjunction with real calls to the Linode API on an test domain, using a valid API token.

The test configures a cert-manager-dns01-tests TXT entry, attempts to verify its presence, and removes the entry, thereby verifying the Prepare and CleanUp functions.

Run the test suite with:

export LINODE_TOKEN=$(echo -n "<your API token>" | base64 -w 0)
envsubst < testdata/linode/secret.yaml.example > testdata/linode/secret.yaml
TEST_ZONE_NAME=yourdomain.com. make verify