Marketplace

cert-manager with Yandex Cloud DNS ACME webhook

Updated October 24, 2024

Cert-manager adds certificates and certificate issuers (ClusterIssuer) as resource types in Kubernetes clusters and makes it easier to obtain, renew, and use those certificates.

The Yandex CloudDNS ACME webhooks plugin for Cert-manager enables solving DNS-01 challenges using Yandex Cloud DNS.

Deployment instructions
  1. Install kubectl and configure it to work with your cluster.

  2. Create a service account for Yandex Cloud DNS to run and assign it the dns.editor role for the folder where a public DNS zone is located.

  3. Create an authorized key and save it to a file named key.json:

    yc iam key create \
       --service-account-name <service account name> \
       --format json \
       --output key.json
    
  4. Configure the application:

    • Namespace: Select a namespace or create a new one.
    • Application name: Enter a name for the application.
    • Service account key: Paste the contents of the key.json file or create a new key.
    • Folder ID: Specify the ID of the folder that stores the Cloud DNS zone to confirm that you own the domain when running a DNS-01 challenge.
    • Email address to get notifications from Let’s Encrypt: Specify the email address for receiving Let’s Encrypt notifications.
    • Let’s Encrypt server address: Select a Let’s Encrypt server address from the list:
      • https://acme-v02.api.letsencrypt.org/directory: Primary URL.
      • https://acme-staging-v02.api.letsencrypt.org/directory: Test URL.
  5. Click Install.

  6. Wait for the application to change its status to Deployed.

  7. Create a file named certificate.yaml with a request for a test certificate:

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: domain-name
      namespace: <namespace>
    spec:
      secretName: domain-name-secret
      issuerRef:
        # ClusterIssuer created along with the Yandex CloudDNS ACME webhook
        name: yc-clusterissuer
        kind: ClusterIssuer
      dnsNames:
        # The domain must belong to your public Cloud DNS zone
        - <domain name>
    
  8. Install the certificate in the cluster:

    kubectl apply -f certificate.yaml
    
  9. Check if the certificate is available:

    kubectl get certificate
    
    NAME          READY   SECRET               AGE
    domain-name   True    domain-name-secret   45m
    
Billing type
Free
Type
Kubernetes® Application
Category
Developer tools
Publisher
Yandex Cloud
Vendor
Yandex.Cloud
Use cases
  • Getting valid X.509 certificates for Ingress resources in a cluster.
Technical support

Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available to you and their response time depend on your pricing plan. You can activate paid support in the management console. Learn more about requesting technical support.

Product composition
Helm chartVersion
Pull-command
Documentation
yandex-cloud/cert-manager-webhook-yandex/cert-manager-webhook-yandex1.0.8-1Open
Docker imageVersion
Pull-command
yandex-cloud/cert-manager-webhook-yandex/cert-manager-webhook-yandex17119616355947709538203096459494803582661923163541.0.2
Terms
By using this product you agree to the Yandex Cloud Marketplace Terms of Service
Billing type
Free
Type
Kubernetes® Application
Category
Developer tools
Publisher
Yandex Cloud
Vendor
Yandex.Cloud