Creating an ACME resolver webhook for responses to DNS01 checks
To pass checks for domain rights automatically using the cert-manager
Below is an example of creating a ClusterIssuer
object with a DNS01 resolver webhook for a domain registered in Yandex Cloud DNS.
To run a webhook in a Managed Service for Kubernetes cluster:
Getting started
- Set up the Managed Service for Kubernetes cluster.
- Install the certificate manager of the latest version.
- Install the Helm package manager
. - Configure the CLI to work on behalf of a service account.
Install a webhook
-
Clone the webhook's repository:
git clone https://github.com/yandex-cloud/cert-manager-webhook-yandex.git
-
Install the webhook using Helm:
helm install -n cert-manager yandex-webhook ./deploy/cert-manager-webhook-yandex
Prepare configuration files
-
Create an authorized key and save it to a file named
iamkey.json
:yc iam key create iamkey \ --service-account-id=<service_account_ID> \ --format=json \ --output=iamkey.json
Warning
The service account must have the
dns.editor
role in the folder with the public zone. -
Create a secret with the key of the service account:
kubectl create secret generic cert-manager-secret --from-file=iamkey.json -n cert-manager
-
Create a file named
cluster-issuer.yml
with theClusterIssuer
object manifest:apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: clusterissuer namespace: default spec: acme: # You must replace this email address with your own. # Let's Encrypt will use this to contact you about expiring # certificates, and issues related to your account. email: your@email.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: # Secret resource that will be used to store the account's private key. name: secret-ref solvers: - dns01: webhook: config: # ID of the folder where dns-zone is located folder: <folder_ID> # This is the secret used to access the service account serviceAccountSecretRef: name: cert-manager-secret key: iamkey.json groupName: acme.cloud.yandex.com solverName: yandex-cloud-dns
-
Create a file named
cluster-certificate.yml
with theCertificate
object manifest:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: your-site-com namespace: default spec: secretName: example-com-secret issuerRef: # The issuer created previously name: clusterissuer kind: ClusterIssuer dnsNames: - your-site.com
Run the certificate manager with the webhook
-
Create objects in a Kubernetes cluster:
kubectl apply -f cluster-issuer.yml && \ kubectl apply -f cluster-certificate.yaml
-
Check that the webhook is running:
kubectl get pods -n cert-manager –watch
Make sure the records contain the ACME webhook for Yandex Cloud DNS:
NAME READY STATUS RESTARTS AGE ... yandex-webhook-cert-manager-webhook-yandex-5578cfb98-tw4mq 1/1 Running 1 43h
Delete the resources you created
If you no longer need the resources you created, delete the Managed Service for Kubernetes cluster.