AI Model Hub for free till June 30, 2025.
Try now
Test nowLog inShare Feedback

Manage TLS Certificates using IONOS Cloud DNS Webhook for cert-manager

This tutorial will guide you through managing TLS certificates using the IONOS Cloud DNS Webhook for cert-manager. Following these steps, you can secure your Kubernetes cluster workloads with valid TLS certificates that are automatically renewed before they expire.

Prerequisites

  • You must have an IONOS account.

  • You must have a domain name registered and managed by IONOS Cloud DNS.

  • You must have a Kubernetes cluster set up. If you have not yet set up a Kubernetes cluster, follow the instructions in Set Up a Kubernetes Cluster to create one.

  • You have kubectl installed and configured to interact with your Kubernetes cluster. If you have not downloaded the kubeconfig file yet, follow the instructions in Download Kubeconfig File to download it.

  • You have cert-manager installed in your Kubernetes cluster. If not, you can install it by following the instructions on the cert-manager Installation guide.

Steps

1. Install cert-manager

Ensure that cert-manager is installed in your Kubernetes cluster. For more information about the instructions, refer to the cert-manager Installation guide.

Execute the following command, if it is not already installed:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml

Note: This tutorial uses cert-manager version v1.17.0; please always use the latest version of cert-manager.

2. Create a secret for the IONOS Cloud API Token

Create a Kubernetes secret to store your IONOS Cloud API token. Run the following command to create the secret:

kubectl create secret generic cert-manager-webhook-ionos-cloud  \
  -n cert-manager \
  --from-literal=auth-token=<IONOS Cloud Token>

Note: Replace IONOS Cloud Token with your actual IONOS Cloud token. For more information on managing authentication tokens, see Manage Authentication Tokens. Ensure that the token is refreshed so that certificates can be renewed automatically.

3. Create a DNS Zone in IONOS Cloud DNS

If you have not yet created a primary zone in IONOS Cloud DNS, you need to create one. For more information, see Create a Primary Zone tutorial.

4. Add the Helm repository

1. Add the Helm repository for the IONOS Cloud Cert Manager webhook:

helm repo add cert-manager-webhook-ionos-cloud https://ionos-cloud.github.io/cert-manager-webhook-ionos-cloud

2. Next, update the Helm repositories using the following command:

helm repo update

5. Install the IONOS Cloud Cert Manager webhook

To use the IONOS Cloud Cert Manager webhook, you need to install it in your Kubernetes cluster using Helm. Run the following command to install the webhook:

helm upgrade cert-manager-webhook-ionos-cloud \
--namespace cert-manager \
--install cert-manager-webhook-ionos-cloud/cert-manager-webhook-ionos-cloud

For more information, refer to the IONOS Cloud DNS Webhook for cert-manager documentation.

Note: As a standard practice, cert-manager is deployed within the cert-manager namespace. This chart operates under the assumption of this default namespace and leverages this setting to assign the necessary privileges to the cert-manager service account, thereby enabling the creation of resources classified as "ionos-cloud." If you are deploying the cert-manager chart in a different namespace, use the certManager.namespace chart value to specify the namespace where cert-manager is deployed. For example, use --set certManager.namespace=custom_namespace.

6. Create a ClusterIssuer resource

Create a ClusterIssuer resource in your Kubernetes cluster to configure the IONOS Cloud Cert Manager webhook. Save the following YAML content to a file named clusterissuer.yaml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ionos-cloud-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - dns01:
        webhook:
          groupName: acme.ionos.com
          solverName: ionos-cloud

Note: Replace [email protected] with your actual email address.

7. Apply the ClusterIssuer resource

Apply the ClusterIssuer resource to your Kubernetes cluster by running the following command:

kubectl apply -f clusterissuer.yaml

8. Create a Certificate resource

Create a Certificate resource to request a TLS certificate for your domain. Save the following YAML content to a file named certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: yourdomain-com
  namespace: default
spec:
  secretName: yourdomain-com-tls
  issuerRef:
    name: ionos-cloud-issuer
    kind: ClusterIssuer
  commonName: '*.yourdomain.com' # project must be the owner of this primary zone
  duration: 8760h0m0s
  dnsNames:
    - yourdomain.com
    - '*.yourdomain.com'

Note: Replace yourdomain.com with your actual domain name.

9. Apply the Certificate resource

Apply the Certificate resource to your Kubernetes cluster by running the following command:

kubectl apply -f certificate.yaml

Note: The certificate resource will create a certificate request and order a certificate from the ACME server. The webhook will create a DNS record of TXT type in the IONOS Cloud primary zone. Depending on the issuer, approval of the certificate request might take several minutes.

10. Create an Ingress resource

Create an Ingress resource to expose your application using the TLS certificate. Save the following YAML content to a file named ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  namespace: default
  annotations:
    ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: "nginx"
  rules:
    - host: "app.yourdomain.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: webapp
                port:
                  number: 80
  tls:
    - hosts:
        - "app.yourdomain.com"
      secretName: yourdomain-com-tls

Note: Replace yourdomain.com with your actual domain name.

11. Apply the Ingress resource

Apply the Ingress resource to your Kubernetes cluster using the following command:

kubectl apply -f ingress.yaml

12. Verify the Certificate

Verify if the certificate has been issued and stored in the specified secret. Run the following command to check the status of the certificate:

kubectl describe certificate yourdomain-com-tls

You should see the certificate details and the status indicating that the certificate has been successfully issued. The output should look similar to the following:

Name:         yourdomain-com
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2025-03-24T16:01:05Z
  Generation:          1
  Resource Version:    37314086452
  UID:                 00354607-ab4c-4654-b7ad-941e1c945abe
Spec:
  Common Name:  *.yourdomain.com
  Dns Names:
    yourdomain.com
    *.yourdomain.com
  Duration:  8760h0m0s
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod
  Secret Name:  yourdomain-com-tls
Status:
  Conditions:
    Last Transition Time:  2025-03-24T16:03:32Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2025-06-22T15:05:00Z
  Not Before:              2025-03-24T15:05:01Z
  Renewal Time:            2025-05-23T15:05:00Z
  Revision:                1
Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    29m   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  29m   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "yourdomain-com-wjmmm"
  Normal  Requested  29m   cert-manager-certificates-request-manager  Created new CertificateRequest resource "yourdomain-com-1"
  Normal  Issuing    26m   cert-manager-certificates-issuing          The certificate has been successfully issued

Conclusion

You have successfully set up and managed TLS certificates using the IONOS Cloud cert-manager widget and IONOS Cloud DNS service. This ensures that your web server is secure and your data is protected. For more information, refer to the cert-manager official documentation and the IONOS Cloud DNS documentation.

PreviousSet Up a TLS Certificate using acme.sh and IONOS Cloud DNSNextFAQ

Last updated

Was this helpful?