Skip to content

Add support for ACME Bifrost to Cert Manager #9684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
agonzalezrh merged 9 commits into from
Dec 22, 2025
Merged

Add support for ACME Bifrost to Cert Manager #9684

agonzalezrh merged 9 commits into from
Dec 22, 2025

Conversation

@agonzalezrh
Copy link
Collaborator

@agonzalezrh agonzalezrh commented Dec 22, 2025

SUMMARY

ACME Bifrost is an internal RHDP project acting as a gateway to generate SSL certificates from different providers (zerossl, zerossl rest api, google ssl and letsencrypt)

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

ocp4_workload_cert_manager role

@agonzalezrh
Add acme-bifrost support to cert-manager workload
78e671e 
Changes:
- Add acme-bifrost as cloud_provider option for DNS-01 challenges
- Create webhook_acme_bifrost.yaml.j2 template for webhook deployment
- Add task to deploy webhook when using acme-bifrost provider
- Update ClusterIssuer templates to support webhook solver
- Add variables for gateway URL and webhook image

The acme-bifrost integration allows cert-manager to issue certificates
via a custom ACME gateway that proxies to Let's Encrypt or ZeroSSL,
using a webhook for DNS-01 challenge coordination with AWS Route53.

Webhook image: quay.io/agonzalezrh/acme-bifrost-webhook:v0.0.1
@agonzalezrh
improve it for acme-bifrost
bf7efdd
@agonzalezrh
fix: Add RBAC for cert-manager to use acme-bifrost webhook
b526d5c 
- Add ClusterRole allowing cert-manager to create webhook solver resources
- Add ClusterRoleBinding granting permission to cert-manager service account
- This fixes the 'forbidden' error when cert-manager tries to create gateway-passthrough resources
@agonzalezrh
fix(cert-manager): Update webhook template with complete RBAC and use…
b119456 
… direct zoneID

- Add ClusterRole for cert-manager to create webhook solver resources
- Add ClusterRole for webhook to create subjectaccessreviews (API aggregation)
- Change from zoneIDSecretRef to direct zoneID value in ClusterIssuers
- Update webhook template to match webhook/deploy.yaml structure

All RBAC and configuration issues resolved. Webhook authentication working correctly.
@agonzalezrh
fix
4b89521
@agonzalezrh
updated zoneID
c33f629
@agonzalezrh
udpdate
769faf2
@agonzalezrh
add kid/hmac
8f2a212
@agonzalezrh
new update
da45343
@agonzalezrh agonzalezrh merged commit b41debe into development Dec 22, 2025
3 checks passed
@agonzalezrh agonzalezrh deleted the cert-manager-acme-bifrost branch December 22, 2025 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YoNoSoyVictor YoNoSoyVictor YoNoSoyVictor approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@agonzalezrh @YoNoSoyVictor