Cert-manager adds certificates and certificate issuers (ClusterIssuer) as resource types in Kubernetes clusters and makes it easier to obtain, renew, and use those certificates.
The Yandex CloudDNS ACME webhooks plugin for Cert-manager enables solving DNS-01 challenges using Yandex Cloud DNS.
-
Create a service account for Yandex Cloud DNS to run and assign it the
dns.editor
role for the folder where a public DNS zone is located. -
Create an authorized key and save it to a file named
key.json
:yc iam key create \ --service-account-name <service account name> \ --format json \ --output key.json
-
Configure the application:
- Namespace: Select a namespace or create a new one.
- Application name: Enter a name for the application.
- Service account key: Paste the contents of the
key.json
file or create a new key. - Folder ID: Specify the ID of the folder that stores the Cloud DNS zone to confirm that you own the domain when running a DNS-01 challenge.
- Email address to get notifications from Let’s Encrypt: Specify the email address for receiving Let’s Encrypt notifications.
- Let’s Encrypt server address: Select a Let’s Encrypt server address from the list:
https://acme-v02.api.letsencrypt.org/directory
: Primary URL.https://acme-staging-v02.api.letsencrypt.org/directory
: Test URL.
-
Click Install.
-
Wait for the application to change its status to
Deployed
. -
Create a file named
certificate.yaml
with a request for a test certificate:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: domain-name namespace: <namespace> spec: secretName: domain-name-secret issuerRef: # ClusterIssuer created along with the Yandex CloudDNS ACME webhook name: yc-clusterissuer kind: ClusterIssuer dnsNames: # The domain must belong to your public Cloud DNS zone - <domain name>
-
Install the certificate in the cluster:
kubectl apply -f certificate.yaml
-
Check if the certificate is available:
kubectl get certificate
NAME READY SECRET AGE domain-name True domain-name-secret 45m
Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available to you and their response time depend on your pricing plan. You can activate paid support in the management console. Learn more about requesting technical support.
Helm chart | Version | Pull-command | Documentation |
---|---|---|---|
yandex-cloud/cert-manager-webhook-yandex/cert-manager-webhook-yandex | 1.0.8-1 | Open |
Docker image | Version | Pull-command |
---|---|---|
yandex-cloud/cert-manager-webhook-yandex/cert-manager-webhook-yandex1711961635594770953820309645949480358266192316354 | 1.0.2 |