cert-manager with Yandex Cloud DNS ACME webhook

cert-manager adds certificates and certificate issuers (ClusterIssuer) as resource types in Kubernetes clusters and makes it easier to obtain, renew, and use those certificates.

The Yandex Cloud DNS ACME webhook plugin for cert-manager lets you complete a DNS-01 challenge using Yandex Cloud DNS.

1. Create a service account for Yandex Cloud DNS to run and assign it the dns.editor role for the folder where a public DNS zone is located.

2. Create an authorized key and save it to a file named key.json:

   yc iam key create \
      --service-account-name <service account name> \
      --format json \
      --output key.json
   

3. Configure the application:

   • Namespace: Select a namespace or create a new one.
   • Application name: Enter an application name.
   • Service account key: Paste the contents of the key.json file or create a new key.
   • Folder ID: Specify the ID of the folder that stores the Cloud DNS zone to confirm that you own the domain when running a DNS-01 challenge.
   • Email address to get notifications from Let’s Encrypt: Specify the email address for receiving Let’s Encrypt notifications.
   • Let’s Encrypt server address: Select a Let’s Encrypt server address from the list:
     • https://acme-v02.api.letsencrypt.org/directory: Primary URL.
     • https://acme-staging-v02.api.letsencrypt.org/directory: Test URL.

4. Click Install.

5. Create a file named certificate.yaml with a request for a test certificate:

   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: domain-name
     namespace: <namespace>
   spec:
     secretName: domain-name-secret
     issuerRef:
       # ClusterIssuer created along with the Yandex Cloud DNS ACME webhook
       name: yc-clusterissuer
       kind: ClusterIssuer
     dnsNames:
       # The domain must belong to your public Cloud DNS zone
       - <domain name>
   

6. Install the certificate in the cluster:

   kubectl apply -f certificate.yaml
   

7. Check if the certificate is available:

   kubectl get certificate
   

   NAME          READY   SECRET               AGE
   domain-name   True    domain-name-secret   45m
   

• Getting valid X.509 certificates for Ingress resources in a cluster.

Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available and their response time depend on your pricing plan. You can activate paid support in the management console. Learn more about requesting technical support.