DNS Challenge for Let's Encrypt® certificates in Yandex Managed Service for Kubernetes
To add a DNS Challenge when issuing Let's Encrypt® certificates:
If you no longer need the resources you created, delete them.
Required paid resources
The support cost includes:
- Fee for the Managed Service for Kubernetes cluster: using the master and outgoing traffic (see Managed Service for Kubernetes pricing).
- Cluster nodes (VM) fee: using computing resources, operating system, and storage (see Compute Cloud pricing).
- Fee for a public IP address assigned to cluster nodes (see Virtual Private Cloud pricing).
- Fee for a DNS zone and DNS requests (see Cloud DNS pricing).
Getting started
-
Create a service account with the
dns.editorrole for the folder the domain zone will be in. -
Create an authorized key for the service account and save it to JSON file:
yc iam key create \ --service-account-name <service_account_name> \ --format json \ --output key.json -
Register a public domain zone and delegate your domain. A Let's Encrypt® certificate will be issued for the domain in this zone after you pass the DNS-01 challenge.
-
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration. When creating them, specify the security groups prepared earlier.
-
Install kubect and configure it to work with the new cluster.
Create a certificate
-
Install the cert-manager app with the Yandex Cloud DNS ACME webhook plugin by following this guide.
During the installation, specify the service account and the authorized key created at the Getting started step.
-
Create a file named
certificate.yaml:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-com namespace: default spec: secretName: example-com-secret issuerRef: # The issuer created previously name: yc-clusterissuer kind: ClusterIssuer dnsNames: - <domain_name> -
Provide the certificate to the Managed Service for Kubernetes cluster:
kubectl apply -f certificate.yaml
Check the result
-
Check if the certificate is available:
kubectl get certificate example-comResult:
NAME READY SECRET AGE example-com True example-com-secret 24hThe
Truestatus in theREADYcolumn means that the certificate was issued successfully. -
(Optional) Get detailed information about the certificate:
kubectl -n default describe certificate example-comThe command output will contain similar events:
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Issuing ... cert-manager-certificates-trigger Issuing certificate as Secret does not exist Normal Generated ... cert-manager-certificates-key-manager Stored new private key in temporary Secret resource...Certificates are used bundled with related Kubernetes secrets, which store key pairs and service information. If there is no secret, the certificate is reissued automatically and a new secret is created – with a notification in the events. For more information on what can cause the reissue of a certificate, see the cert-manager documentation.
As the certificate is being issued for the first time, it has no such related secret so far. The presence of notification events about the fact should not be considered an error.
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need: