Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Installing an NGINX Ingress controller with a Let's Encrypt® certificate manager in Yandex Managed Service for Kubernetes

Written by
Updated at November 21, 2025

To to create an NGINX ingress controller using Kubernetes and secure it with a certificate, follow these steps:

  1. Install the NGINX ingress controller.
  2. Set up a DNS record for the ingress controller.
  3. Install the certificate manager.
  4. Create a ClusterIssuer.
  5. Create objects to test cert-manager.
  6. Test TLS.

If you no longer need the resources you created, delete them.

The support cost for this solution includes:

Getting started

  1. Create a service account with the k8s.clusters.agent, vpc.publicAdmin, container-registry.images.puller, and load-balancer.admin roles for the folder. It needs the load-balancer.admin role to create a network load balancer.

  2. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  3. Add the following rules to the security group applied to the node group:

    • Rule for inbound traffic to allow certificate checking via a cert-manager webhook:
      • Port range: 10250.
      • Protocol: TCP.
      • Destination name: CIDR.
      • CIDR blocks: 0.0.0.0/0.
    • Rule for outbound traffic to allow connection to Let's Encrypt® servers for issuing certificates:
      • Port range: 443.
      • Protocol: TCP.
      • Destination name: CIDR.
      • CIDR blocks: 0.0.0.0/0.

  4. Create a Managed Service for Kubernetes cluster and node group with any suitable configuration. In the cluster settings, specify the service account and the security groups created earlier.

  5. Install kubect and configure it to work with the new cluster.

  6. Register a public domain zone and delegate your domain.

  7. Optionally, install ExternalDNS with a plugin for Yandex Cloud DNS to automatically create a DNS record in Yandex Cloud DNS when creating an Ingress controller.

Install the NGINX ingress controller

Install Ingress NGINX from Cloud Marketplace by following this guide.

  1. Install Helm.

  2. To install a Helm chart with the NGINX ingress controller, run this command:

    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx && \
helm repo update && \
helm install ingress-nginx ingress-nginx/ingress-nginx

The created controller will be installed behind the Yandex Network Load Balancer.

To set up the controller configuration yourself, follow the steps provided in this Helm guide and edit the values.yaml file.

To forward specific ports when installing the NGINX ingress controller, follow this guide.

Set up a DNS record for the ingress controller

If you are using ExternalDNS with the Cloud DNS plugin, you do not need to set up a DNS record since it is created automatically. Otherwise:

  1. Get the IP address of the ingress controller (the value in the EXTERNAL-IP column):

    kubectl get svc

    Result:

    NAME                      TYPE          CLUSTER-IP     EXTERNAL-IP     PORT(S)                     AGE
...
ingress-nginx-controller  LoadBalancer  10.96.164.252  84.201.153.122  80:31248/TCP,443:31151/TCP  2m19s
...

  2. Add an A record pointing to the ingress controller public IP address to your DNS provider or to your own DNS server:

    <your_domain> IN A <ingress_controller_IP_address>

Install the certificate manager

You can install the certificate manager in one of the following ways:

  • Using Yandex Cloud Marketplace: To install cert-manager integrated with Cloud DNS.

    This will create a ClusterIssuer object in the cluster, configured to pass the DNS-01 challenge using Cloud DNS.

    You can manually create and configure other objects, such as Issuer or ClusterIssuer, if required. For more information about these objects, see this cert-manager article.

  • Manually: To install cert-manager with no additional integrations.

    You will need to create and configure any Issuer and ClusterIssuer objects manually.

Install cert-manager with the Cloud DNS ACME webhook plugin by following this guide.

  1. Install the latest version of cert-manager. For example, run the following command for version 1.12.1:

    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.1/cert-manager.yaml

  2. Make sure the cert-manager namespace has three pods, all of them being 1/1 ready and Running:

    kubectl get pods -n cert-manager --watch

    Result:

    NAME                                      READY  STATUS   RESTARTS  AGE
cert-manager-69********-ghw6s             1/1    Running  0         54s
cert-manager-cainjector-76********-gnrzz  1/1    Running  0         55s
cert-manager-webhook-77********-wz9bh     1/1    Running  0         54s

Create a ClusterIssuer

Create a ClusterIssuer object you can use to issue Let's Encrypt® certificates.

Certificates will be issued after you pass the HTTP-01 challenge using the ingress controller you installed earlier.

Create an object with the required settings:

  1. Create the http01-clusterissuer.yaml file with the object manifest:

    apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: http01-clusterissuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <your_email>
    privateKeySecretRef:
      name: http01-clusterissuer-secret
    solvers:
    - http01:
        ingress:
          class: nginx

  2. Create the object in the Managed Service for Kubernetes cluster:

    kubectl apply -f http01-clusterissuer.yaml

Create objects to test cert-manager

To test the certificate manager, create the Ingress, Service, and Deployment objects:

  1. Create the app.yaml file with manifests for the Ingress, Service, and Deployment objects:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    cert-manager.io/cluster-issuer: "http01-clusterissuer"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
      - <your_domain_URL>
      secretName: domain-name-secret
  rules:
    - host: <your_domain_URL>
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: app
              port:
                number: 80
---
apiVersion: v1
kind: Service
metadata:
  name: app
spec:
  selector:
    app: app
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-deployment
  labels:
    app: app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: app
        image: nginx:latest
        ports:
        - containerPort: 80

  2. Create the objects in the Managed Service for Kubernetes cluster:

    kubectl apply -f app.yaml

Test TLS

  1. Make sure the domain ownership verification was successful and the certificate has changed its status to Issued:

    kubectl describe certificate domain-name-secret

    The command output will contain similar events:

    Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    ...   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  ...   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource...

    Certificates are used bundled with related Kubernetes secrets, which store key pairs and service information. If there is no secret, the certificate is reissued automatically and a new secret is created – with a notification in the events. For more information on what can cause the reissue of a certificate, see the cert-manager documentation.

    As the certificate is being issued for the first time, it has no such related secret so far. The presence of notification events about the fact should not be considered an error.

    Note

    Domain ownership verification for a Let's Encrypt® certificate may take several hours.

  2. Run this command:

    curl https://<your_domain>

    Result:

    <!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

    Note

    If the resource is unavailable at the specified URL, make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

Delete the resources you created

Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them:

  1. Delete the Managed Service for Kubernetes cluster.
  2. Delete the public domain zone.
Previous
Deploying and load testing a scalable gRPC service
Next
Installing an NGINX ingress controller with a certificate from Certificate Manager