You can use Yandex Cloud Managed Service for Kubernetes or another Kubernetes service
Install cert-manager
Install helm
git clone https://github.com/yandex-cloud/cert-manager-webhook-yandex.git
helm install -n cert-manager yandex-webhook ./deploy/cert-manager-webhook-yandex
Obtain iam key json file
yc iam key create iamkey \
--service-account-id=<your service account ID>
--format=json \
--output=iamkey.json
Note that service account needs permissions to create and delete records at your zone
Create secret:
kubectl create secret generic cert-manager-secret --from-file=iamkey.json -n cert-manager
Create an Issuer or ClusterIssuer with webhook with next parameters
solverName: yandex-cloud-dns
groupName: acme.cloud.yandex.com
Issuer example:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: issuer
namespace: default
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: your@email.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: secret-ref
solvers:
- dns01:
webhook:
config:
# The ID of the folder where dns-zone located in
folder: <your folder ID>
# This is the secret used to access the service account
serviceAccountSecretRef:
name: cert-manager-secret
key: iamkey.json
groupName: acme.cloud.yandex.com
solverName: yandex-cloud-dns
ClusterIssuer example:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: clusterissuer
namespace: default
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: your@email.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: secret-ref
solvers:
- dns01:
webhook:
config:
# The ID of the folder where dns-zone located in
folder: <your folder ID>
# This is the secret used to access the service account
serviceAccountSecretRef:
name: cert-manager-secret
key: iamkey.json
groupName: acme.cloud.yandex.com
solverName: yandex-cloud-dns
Create Certificate
Certificate with Issuer example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-secret
issuerRef:
# The issuer created previously
name: issuer
kind: Issuer
dnsNames:
- example.com
Certificate with ClusterIssuer example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-secret
issuerRef:
# The issuer created previously
name: clusterissuer
kind: ClusterIssuer
dnsNames:
- example.com