User GuidesDeveloper ReferenceSupportFAQsLog in

Manage TLS Certificates using IONOS Cloud DNS Webhook for cert-manager

This tutorial will guide you through managing TLS certificates using the IONOS Cloud DNS Webhook for cert-manager. Following these steps, you can secure your Kubernetes cluster workloads with valid TLS certificates that are automatically renewed before they expire.

Prerequisites

  • You must have an IONOS account.

  • You must have a domain name registered and managed by IONOS Cloud DNS.

  • You must have a Kubernetes cluster set up. If you have not yet set up a Kubernetes cluster, follow the instructions in Set Up a Kubernetes Cluster to create one.

  • You have kubectl installed and configured to interact with your Kubernetes cluster. If you have not downloaded the kubeconfig file yet, follow the instructions in Download Kubeconfig File to download it.

  • You have cert-manager installed in your Kubernetes cluster. If not, you can install it by following the instructions on the cert-manager Installation guide.

Steps

1. Install cert-manager

Ensure that cert-manager is installed in your Kubernetes cluster. For more information about the instructions, refer to the cert-manager Installation guide.

Execute the following command, if it is not already installed:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml

Note: This tutorial uses cert-manager version v1.17.0; please always use the latest version of cert-manager.

2. Create a secret for the IONOS Cloud API Token

Create a Kubernetes secret to store your IONOS Cloud API token. Run the following command to create the secret:

kubectl create secret generic cert-manager-webhook-ionos-cloud  \
  -n cert-manager \
  --from-literal=auth-token=<IONOS Cloud Token>

Note: Replace IONOS Cloud Token with your actual IONOS Cloud token. For more information on managing authentication tokens, see Manage Authentication Tokens. Ensure that the token is refreshed so that certificates can be renewed automatically.

3. Create a DNS Zone in IONOS Cloud DNS

If you have not yet created a DNS zone in IONOS Cloud DNS, you need to create one. For more information, see Create a DNS Zone tutorial.

4. Add the Helm repository

1. Add the Helm repository for the IONOS Cloud Cert Manager webhook:

helm repo add cert-manager-webhook-ionos-cloud https://ionos-cloud.github.io/cert-manager-webhook-ionos-cloud

  1. Next, update the Helm repositories using the following command:

helm repo update

5. Install the IONOS Cloud Cert Manager webhook

To use the IONOS Cloud Cert Manager webhook, you need to install it in your Kubernetes cluster using Helm. Run the following command to install the webhook:

helm upgrade cert-manager-webhook-ionos-cloud \
--namespace cert-manager \
--install cert-manager-webhook-ionos-cloud/cert-manager-webhook-ionos-cloud

For more information, refer to the IONOS Cloud DNS Webhook for cert-manager documentation.

6. Create a ClusterIssuer resource

Create a ClusterIssuer resource in your Kubernetes cluster to configure the IONOS Cloud Cert Manager webhook. Save the following YAML content to a file named clusterissuer.yaml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ionos-cloud-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your_email@example.com
    privateKeySecretRef:
      name: ionos-cloud-issuer-account-key
    solvers:
    - dns01:
        webhook:
          groupName: acme.ionos-cloud.com
          solverName: ionos-cloud
          config:
            apiTokenSecretRef:
              name: ionos-cloud-api-token
              key: token

Note: Replace your_email@example.com with your actual email address.

7. Apply the ClusterIssuer resource

Apply the ClusterIssuer resource to your Kubernetes cluster by running the following command:

kubectl apply -f clusterissuer.yaml

8. Create a Certificate resource

Create a Certificate resource to request a TLS certificate for your domain. Save the following YAML content to a file named certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: yourdomain-com
  namespace: default
spec:
  secretName: yourdomain-com-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: '*.yourdomain.com' # project must be the owner of this zone
  duration: 8760h0m0s
  dnsNames:
    - yourdomain.com
    - '*.yourdomain.com'

Note: Replace yourdomain.com with your actual domain name.

9. Apply the Certificate resource

Apply the Certificate resource to your Kubernetes cluster by running the following command:

kubectl apply -f certificate.yaml

10. Create an Ingress resource

Create an Ingress resource to expose your application using the TLS certificate. Save the following YAML content to a file named ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  namespace: default
  annotations:
    ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: "nginx"
  rules:
    - host: "app.yourdomain.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: webapp
                port:
                  number: 80
  tls:
    - hosts:
        - "app.yourdomain.com"
      secretName: yourdomain-com-tls

Note: Replace yourdomain.com with your actual domain name.

11. Apply the Ingress resource

Apply the Ingress resource to your Kubernetes cluster using the following command:

kubectl apply -f ingress.yaml

12. Verify the Certificate

Verify if the certificate has been issued and stored in the specified secret. Run the following command to check the status of the certificate:

kubectl describe certificate yourdomain-com-tls

You should see the certificate details and the status indicating that the certificate has been successfully issued. The output should look similar to the following:

Name:         yourdomain-com
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2025-03-24T16:01:05Z
  Generation:          1
  Resource Version:    37314086452
  UID:                 00354607-ab4c-4654-b7ad-941e1c945abe
Spec:
  Common Name:  *.yourdomain.com
  Dns Names:
    yourdomain.com
    *.yourdomain.com
  Duration:  8760h0m0s
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  yourdomain-com-tls
Status:
  Conditions:
    Last Transition Time:  2025-03-24T16:03:32Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2025-06-22T15:05:00Z
  Not Before:              2025-03-24T15:05:01Z
  Renewal Time:            2025-05-23T15:05:00Z
  Revision:                1
Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    29m   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  29m   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "yourdomain-com-wjmmm"
  Normal  Requested  29m   cert-manager-certificates-request-manager  Created new CertificateRequest resource "yourdomain-com-1"
  Normal  Issuing    26m   cert-manager-certificates-issuing          The certificate has been successfully issued

Conclusion

You have successfully set up and managed TLS certificates using the IONOS Cloud cert-manager widget and IONOS Cloud DNS service. This ensures that your web server is secure and your data is protected. For more information, refer to the cert-manager official documentation and the IONOS Cloud DNS documentation.

PreviousSet Up a TLS Certificate using acme.sh and IONOS Cloud DNSNextFAQs

Last updated

Was this helpful?