Merge pull request #98 from vadimkim/rel-1.4.0

Rel 1.4.0

Author: vadimkim

.github/workflows/superlinter.yml

@@ -18,7 +18,7 @@ jobs:
     # Grant status permission for MULTI_STATUS #
     ############################################
     permissions:
-      contents: read
+      contents: write
       packages: read
       statuses: write
 
@@ -27,9 +27,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint Code Base
-        uses: docker://ghcr.io/super-linter/super-linter:slim-v7.2.1
+        uses: docker://ghcr.io/super-linter/super-linter:slim-v8.1.0
         with:
           args: --timeout=30m
         env:

Dockerfile

@@ -1,7 +1,8 @@
-FROM golang:1.23-alpine3.20 AS build_deps
+# ---- Build dependencies ----
+FROM golang:1.25-alpine3.22 AS build_deps
 ARG TARGETARCH
 
-RUN apk add --no-cache git=2.45.3-r0
+RUN apk add --no-cache git=2.49.1-r0
 
 WORKDIR /workspace
 ENV GO111MODULE=on
@@ -11,18 +12,27 @@ COPY go.sum .
 
 RUN go mod download
 
+# ---- Build stage ----
 FROM build_deps AS build
 
 COPY . .
 
 RUN CGO_ENABLED=0 GOARCH=$TARGETARCH go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.20
+# ---- Final runtime image ----
+FROM alpine:3.22
 LABEL maintainer="vadimkim <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/vadimkim/cert-manager-webhook-hetzner"
 
-RUN apk add --no-cache ca-certificates=20241121-r1
+# Install minimal runtime
+RUN apk add --no-cache ca-certificates=20250619-r0 \
+    && adduser -D -u 1000 appuser
+USER appuser
 
 COPY --from=build /workspace/webhook /usr/local/bin/webhook
 
 ENTRYPOINT ["webhook"]
+
+# Add healthcheck (adjust endpoint/port if needed)
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:8080/healthz || exit 1

README.md

@@ -1,44 +1,52 @@
 # ACME webhook for Hetzner DNS API
 
-This solver can be used when you want to use cert-manager with Hetzner DNS API. API documentation is [here](https://dns.hetzner.com/api-docs)
+This solver can be used when you want to use cert-manager with Hetzner DNS API. API documentation
+is [Hetzner DNS API docs](https://dns.hetzner.com/api-docs)
 
 ## Requirements
--   [go](https://golang.org/) >= 1.13.0
--   [helm](https://helm.sh/) >= v3.0.0
--   [kubernetes](https://kubernetes.io/) >= v1.14.0
--   [cert-manager](https://cert-manager.io/) >= 0.12.0
+
+- [go](https://golang.org/) >= 1.25.0
+- [helm](https://helm.sh/) >= v3.0.0
+- [kubernetes](https://kubernetes.io/) >= v1.14.0
+- [cert-manager](https://cert-manager.io/) >= 0.12.0
 
 ## Installation
 
 ### cert-manager
 
-Follow the [instructions](https://cert-manager.io/docs/installation/) using the cert-manager documentation to install it within your cluster.
+Follow the [instructions](https://cert-manager.io/docs/installation/) using the cert-manager documentation to install it
+within your cluster.
 
 ### Webhook
 
 #### Using public helm chart
+
 ```bash
 helm repo add cert-manager-webhook-hetzner https://vadimkim.github.io/cert-manager-webhook-hetzner
-# Replace the groupName value with your desired domain
-helm install --namespace cert-manager cert-manager-webhook-hetzner cert-manager-webhook-hetzner/cert-manager-webhook-hetzner --set groupName=acme.yourdomain.tld
+helm install --namespace cert-manager cert-manager-webhook-hetzner cert-manager-webhook-hetzner/cert-manager-webhook-hetzner
 ```
 
 #### From local checkout
 
 ```bash
 helm install --namespace cert-manager cert-manager-webhook-hetzner deploy/cert-manager-webhook-hetzner
 ```
-**Note**: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
+
+**Note**: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the
+cert-manager.
 
 To uninstall the webhook run
+
 ```bash
 helm uninstall --namespace cert-manager cert-manager-webhook-hetzner
 ```
 
 ## Issuer
 
 Create a `ClusterIssuer` or `Issuer` resource as following:
-(Keep in Mind that the Example uses the Staging URL from Let's Encrypt. Look at [Getting Start](https://letsencrypt.org/getting-started/) for using the normal Let's Encrypt URL.)
+(Keep in Mind that the Example uses the Staging URL from Let's Encrypt. Look
+at [Getting Start](https://letsencrypt.org/getting-started/) for using the normal Let's Encrypt URL.)
+
 ```yaml
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
@@ -59,8 +67,7 @@ spec:
     solvers:
       - dns01:
           webhook:
-            # This group needs to be configured when installing the helm package, otherwise the webhook won't have permission to create an ACME challenge for this API group.
-            groupName: acme.yourdomain.tld
+            groupName: hetzner.cert-mananger-webhook.noshoes.xyz
             solverName: hetzner
             config:
               secretName: hetzner-secret
@@ -69,11 +76,15 @@ spec:
 ```
 
 ### Credentials
+
 In order to access the Hetzner API, the webhook needs an API token.
 
-If you choose another name for the secret than `hetzner-secret`, you must install the chart with a modified `secretName` value. Policies ensure that no other secrets can be read by the webhook. Also modify the value of `secretName` in the `[Cluster]Issuer`.
+If you choose another name for the secret than `hetzner-secret`, you must install the chart with a modified `secretName`
+value. Policies ensure that no other secrets can be read by the webhook. Also modify the value of `secretName` in the
+`[Cluster]Issuer`.
 
 The secret for the example above will look like this:
+
 ```yaml
 apiVersion: v1
 kind: Secret
@@ -115,9 +126,10 @@ else they will have undetermined behaviour when used with cert-manager.
 **It is essential that you configure and run the test suite when creating a
 DNS01 webhook.**
 
-First, you need to have Hetzner account with access to DNS control panel. You need to create API token and have a registered and verified DNS zone there.
+First, you need to have Hetzner account with access to DNS control panel. You need to create API token and have a
+registered and verified DNS zone there.
 Then you need to replace `zoneName` parameter at `testdata/hetzner/config.json` file with actual one.
-You also must encode your api token into base64 and put the hash into `testdata/hetzner/hetzner-secret.yml` file.
+You also must encode your API token into base64 and put the hash into `testdata/hetzner/hetzner-secret.yml` file.
 
 You can then run the test suite with:
 
@@ -131,11 +143,13 @@ TEST_ZONE_NAME=example.com. make verify
 ## Creating new package
 
 To build new Docker image for multiple architectures and push it to hub:
+
 ```shell
 docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 -t zmejg/cert-manager-webhook-hetzner:1.2.0 . --push
 ```
 
 To compile and publish new Helm chart version:
+
 ```shell
 helm package deploy/cert-manager-webhook-hetzner
 git checkout gh-pages

deploy/cert-manager-webhook-hetzner/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cert-manager-webhook-hetzner
-version: 1.3.3
-appVersion: "1.3.3"
+version: 1.4.0
+appVersion: "1.4.0"
 kubeVersion: ">= 1.22.0-0"
 description: Allow cert-manager to solve DNS challenges using Hetzner DNS API
 home: https://github.com/vadimkim/cert-manager-webhook-hetzner

deploy/cert-manager-webhook-hetzner/values.yaml

@@ -1,12 +1,6 @@
-# The GroupName here is used to identify your company or business unit that
-# created this webhook.
-# For example, this may be "acme.mycompany.com".
-# This name will need to be referenced in each Issuer's `webhook` stanza to
-# inform cert-manager of where to send ChallengePayload resources in order to
-# solve the DNS01 challenge.
-# This group name should be **unique**, hence using your own company's domain
-# here is recommended.FROM golang:1.14.0-alpine AS build_deps
-groupName: acme.yourdomain.tld
+# The kubernetes api group under which the webhook will be exposed. There is no need to
+# modify this value unless you are facing a collision in your api services.
+groupName: hetzner.cert-mananger-webhook.noshoes.xyz
 
 certManager:
   namespace: cert-manager
@@ -39,7 +33,7 @@ resources: {}
   #  memory: 128Mi
   # requests:
   #  cpu: 100m
-  #  memory: 128Mi
+#  memory: 128Mi
 
 nodeSelector: {}