Creating an ACME resolver webhook for responses to DNS01 checks
To pass checks for domain rights automatically using the cert-manager utility, add a webhook with a DNS01 resolver to the utility configuration.
Below, we have an example of creating a ClusterIssuer object with a DNS01 resolver webhook for a domain registered in Yandex Cloud DNS.
To run a webhook in a Managed Service for Kubernetes cluster:
- Set up the Managed Service for Kubernetes cluster.
- Install the latest version of the certificate manager.
- Install the Helm package manager.
- Install and run a webhook in a Managed Service for Kubernetes cluster.
- Delete the resources you created.
Note
The certificate manager with the ACME webhook for Yandex Cloud DNS supports Wildcard certificates.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Prepare the environment
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Install kubectl, which is the command line interface for Kubernetes.
-
Make sure you have enough resources available in the cloud.
-
If you do not have a network yet, create one.
-
If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.
-
-
sa-kuberneteswith the following roles:k8s.clusters.agentandvpc.publicAdminfor the folder where the Managed Service for Kubernetes is created.container-registry.images.pullerfor the folder containing a Docker image registry.
On behalf of this service account, resources your cluster needs will be created and Managed Service for Kubernetes nodes will pull the required Docker images from the registry.
-
sa-dns-editorwith thedns.editorrole for the folder containing the public zone. This service account will be used to create DNS resource records.
-
Prepare your Managed Service for Kubernetes cluster
Create a Managed Service for Kubernetes cluster
To create a Managed Service for Kubernetes cluster:
- In the management console, select the folder where you want to create a Managed Service for Kubernetes cluster.
- Select Managed Service for Kubernetes.
- Click Create cluster.
- Enter the name for the cluster:
kubernetes-cluster-wh. - Service account for resources: Specify the
sa-kubernetesservice account that will be used to create resources. - Service account for nodes: Specify the
sa-kubernetesservice account the Managed Service for Kubernetes nodes will use to access the Docker image registry. - Specify a release channel. You will not be able to edit this setting once you create a Managed Service for Kubernetes cluster.
- Under Master configuration:
- Kubernetes version: Select a Kubernetes version to install on the Managed Service for Kubernetes master. It must match the Kubernetes command line version.
- Public address: Select the IP address assignment method:
Auto: Assign a random IP address from the Yandex Cloud IP pool.
- Type of master: Select the master type:
Zonal: To create a single master host in the selected availability zone. Specify a cloud network and select a subnet for the master host.Regional: To create a single master host in each availability zone. Specify a cloud network and subnet for each availability zone.
- Select security groups for the Managed Service for Kubernetes cluster's network traffic.
- Under Cluster network settings:
- Click Create.
- Wait for the cluster status to change to
Runningand its state toHealthy.
Add credentials to the kubectl configuration file
To add Managed Service for Kubernetes cluster credentials to the kubectl configuration file:
-
Run this command:
yc managed-kubernetes cluster get-credentials kubernetes-cluster-wh --externalBy default, credentials are added to the
$HOME/.kube/configdirectory. If you need to change the configuration location, use--kubeconfig <file_path>. -
Check the
kubectlconfiguration after adding the credentials:kubectl config viewResult:
apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED ...
Create a node group
To create a Managed Service for Kubernetes node group:
-
In the management console, select the folder where the required Managed Service for Kubernetes cluster was created.
-
In the list of services, select Managed Service for Kubernetes.
-
Select the
kubernetes-cluster-whcluster. -
On the cluster page, go to Nodes manager.
-
Click Create a node group.
-
Enter a name and description for the Managed Service for Kubernetes node group.
-
In the Kubernetes version field, select a Kubernetes version for Managed Service for Kubernetes nodes.
-
Under Scaling, select its type:
Fixed, to keep the number of nodes in the Managed Service for Kubernetes group constant. Specify the number of nodes in the Managed Service for Kubernetes group.Automatic, to control the number of nodes in the Managed Service for Kubernetes group via Managed Service for Kubernetes cluster autoscaling.
-
Under Allow when creating and updating, specify the maximum number of instances by which you can exceed or reduce the size of the Managed Service for Kubernetes group.
-
Under Computing resources:
- Choose a platform.
- Specify the required number of vCPUs, guaranteed vCPU performance, and the amount of RAM.
-
Under Storage:
-
Specify the Disk type for the Managed Service for Kubernetes group nodes:
HDD: Standard network drive; network block storage on an HDD.SSD: Fast network drive; network block storage on an SSD.Non-replicated SSD: Network drive with enhanced performance achieved by removing redundancy. You can only change the size of this type of disk in 93 GB increments.SSD IO: Network drive with the same performance characteristics asNon-replicated SSD, plus redundancy. You can only change the size of this type of disk in 93 GB increments.
For more information about disk types, see the Yandex Compute Cloud documentation.
-
Specify the disk size for the Managed Service for Kubernetes group nodes.
-
-
Under Network settings:
- In the Public address field, choose a method for IP address assignment:
Auto: Assign a random IP address from the Yandex Cloud IP pool.
- Select security groups.
- Select an availability zone and subnet to deploy the Managed Service for Kubernetes group nodes in.
- In the Public address field, choose a method for IP address assignment:
-
Under Access, specify the information required to access the Managed Service for Kubernetes group nodes over SSH:
- Login: Enter the username.
- SSH key: Insert the contents of the public key file.
-
Click Create.
-
Wait for the node group status to change to
Running.
Install the latest version of the certificate manager
-
Install the latest version of the certificate manager configured to issue Let's Encrypt certificates. For example, run the following command for version 1.21.1:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.1/cert-manager.yaml -
Make sure that the
cert-managernamespace has three pods, all of them being1/1ready and with theRunningstatus:kubectl get pods -n cert-manager --watchResult:
NAME READY STATUS RESTARTS AGE cert-manager-69********-ghw6s 1/1 Running 0 54s cert-manager-cainjector-76********-gnrzz 1/1 Running 0 55s cert-manager-webhook-77********-wz9bh 1/1 Running 0 54s
Install the Helm package manager
Install Helm to manage packages on your Kubernetes cluster.
Install and run a webhook in a Managed Service for Kubernetes cluster
Install a webhook
-
Clone the webhook's repository:
git clone https://github.com/yandex-cloud/cert-manager-webhook-yandex.git -
Install the webhook using Helm:
helm install -n cert-manager yandex-webhook ./deploy/cert-manager-webhook-yandex
Prepare configuration files
-
Create an authorized key for the
sa-dns-editorservice account and save it to theiamkey.jsonfile:yc iam key create iamkey \ --service-account-id=<service_account_ID> \ --format=json \ --output=iamkey.json -
Create a secret with the key of the service account:
kubectl create secret generic cert-manager-secret --from-file=iamkey.json -n cert-manager -
Create the
cluster-issuer.ymlfile with theClusterIssuerobject manifest:apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: clusterissuer namespace: default spec: acme: # You must replace this email address with your own. # Let's Encrypt will use this to contact you about expiring # certificates, and issues related to your account. email: your@email.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: # Secret resource that will be used to store the account's private key. name: secret-ref solvers: - dns01: webhook: config: # ID of the folder the dns-zone is located in folder: <folder_ID> # This is the secret used to access the service account serviceAccountSecretRef: name: cert-manager-secret key: iamkey.json groupName: acme.cloud.yandex.com solverName: yandex-cloud-dns -
Create the
cluster-certificate.ymlfile with theCertificateobject manifest:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: your-site-com namespace: default spec: secretName: example-com-secret issuerRef: # The issuer created previously name: clusterissuer kind: ClusterIssuer dnsNames: - your-site.com
Run the certificate manager with the webhook
-
Create objects in a Kubernetes cluster:
kubectl apply -f cluster-issuer.yml && \ kubectl apply -f cluster-certificate.yml -
Check that the webhook is running:
kubectl get pods -n cert-manager --watchMake sure the records contain the ACME webhook for Yandex Cloud DNS:
NAME READY STATUS RESTARTS AGE ... yandex-webhook-cert-manager-webhook-yandex-5578cfb98-tw4mq 1/1 Running 1 43h
Delete the resources you created
If you no longer need the resources you created, delete the Managed Service for Kubernetes cluster.