Manage TLS Certificates using IONOS Cloud DNS Webhook for cert-manager

this tutorial will guide you through managing tls certificates using the dns webhook for cert manager https //cert manager io/ following these steps, you can secure your kubernetes cluster workloads with valid tls certificates that are automatically renewed before they expire target audience this tutorial is intended to help both developers and technical decision makers what you will learn you will learn how to automate the issuance and renewal of tls certificates for your kubernetes workloads using cert manager and the dns webhook this tutorial covers the complete setup process, including configuring dns zones, secrets, and certificate resources for secure application deployment before you begin you must have the following an ionos cloud account a domain name registered and managed by dns a kubernetes cluster set up if you have not yet set up a kubernetes cluster, follow the instructions in set up a kubernetes cluster https //docs ionos com/cloud/containers/managed kubernetes/how tos/cluster management to create one a kubectl installed and configured to interact with your kubernetes cluster if you have not downloaded the kubeconfig file yet, follow the instructions in download kubeconfig file https //docs ionos com/cloud/containers/managed kubernetes/download kubeconfig file to download it a cert manager installed in your kubernetes cluster if not, you can install it by following the instructions on the cert manager installation guide https //cert manager io/docs/installation/ procedure install cert manager ensure that cert manager is installed in your kubernetes cluster for more information about the instructions, refer to the cert manager installation guide https //cert manager io/docs/installation/ note this tutorial uses cert manager version v1 17 0 ; please always use the latest version of cert manager execute the following command, if it is not already installed kubectl apply f https //github com/cert manager/cert manager/releases/download/v1 17 0/cert manager yaml create a secret for the api token create a kubernetes secret to store your api token run the following command to create the secret note replace token with your actual token for more information on managing authentication tokens, see manage authentication tokens https //docs ionos com/cloud/management/identity access management/token manager ensure that the token is refreshed so that certificates can be renewed automatically kubectl create secret generic cert manager webhook ionos cloud \\ n cert manager \\ \ from literal=auth token=\<ionos cloud token> create a dns zone in dns if you have not yet created a primary zone in dns, you need to create one for more information, see create a primary zone https //docs ionos com/cloud/network services/cloud dns/dcd how tos/public zone/primary zone/create primary zone add the helm repository 1 add the helm repository for the cert manager webhook helm repo add cert manager webhook ionos cloud https //ionos cloud github io/cert manager webhook ionos cloud 2 next, update the helm repositories using the following command helm repo update install the ionos cloud cert manager webhook to use the cert manager webhook, you need to install it in your kubernetes cluster using helm run the following command to install the webhook note as a standard practice, cert manager is deployed within the cert manager namespace this chart operates under the assumption of this default namespace and leverages this setting to assign the necessary privileges to the cert manager service account, thereby enabling the creation of resources classified as "ionos cloud " if you are deploying the cert manager chart in a different namespace, use the certmanager namespace chart value to specify the namespace where cert manager is deployed for example, use set certmanager namespace=custom namespace helm upgrade cert manager webhook ionos cloud \\ \ namespace cert manager \\ \ install cert manager webhook ionos cloud/cert manager webhook ionos cloud for more information, refer to the dns webhook for cert manager documentation create a clusterissuer resource create a clusterissuer resource in your kubernetes cluster to configure the cert manager webhook save the following yaml content to a file named clusterissuer yaml note replace your email\@example com with your actual email address apiversion cert manager io/v1 kind clusterissuer metadata name ionos cloud issuer spec acme server https //acme v02 api letsencrypt org/directory email your email\@example com privatekeysecretref name letsencrypt prod solvers \ dns01 webhook groupname acme ionos com solvername ionos cloud apply the clusterissuer resource apply the clusterissuer resource to your kubernetes cluster by running the following command kubectl apply f clusterissuer yaml create a certificate resource create a certificate resource to request a tls certificate for your domain save the following yaml content to a file named certificate yaml note replace yourdomain com with your actual domain name apiversion cert manager io/v1 kind certificate metadata name yourdomain com namespace default spec secretname yourdomain com tls issuerref name ionos cloud issuer kind clusterissuer commonname ' yourdomain com' # project must be the owner of this primary zone duration 8760h0m0s dnsnames \ yourdomain com \ ' yourdomain com' apply the certificate resource apply the certificate resource to your kubernetes cluster by running the following command note the certificate resource will create a certificate request and order a certificate from the acme server the webhook will create a dns record of txt type in the primary zone depending on the issuer, approval of the certificate request might take several minutes kubectl apply f certificate yaml create an ingress resource create an ingress resource to expose your application using the tls certificate save the following yaml content to a file named ingress yaml note replace yourdomain com with your actual domain name apiversion networking k8s io/v1 kind ingress metadata name app ingress namespace default annotations ingress kubernetes io/rewrite target / spec ingressclassname "nginx" rules \ host "app yourdomain com" http paths \ path / pathtype prefix backend service name webapp port number 80 tls \ hosts \ "app yourdomain com" secretname yourdomain com tls apply the ingress resource apply the ingress resource to your kubernetes cluster using the following command kubectl apply f ingress yaml verify the certificate verify if the certificate has been issued and stored in the specified secret run the following command to check the status of the certificate kubectl describe certificate yourdomain com tls final result you should see the certificate details and the status indicating that the certificate has been successfully issued the output should look similar to the following name yourdomain com namespace default labels \<none> annotations \<none> api version cert manager io/v1 kind certificate metadata creation timestamp 2025 03 24t16 01 05z generation 1 resource version 37314086452 uid 00354607 ab4c 4654 b7ad 941e1c945abe spec common name yourdomain com dns names yourdomain com yourdomain com duration 8760h0m0s issuer ref kind clusterissuer name letsencrypt prod secret name yourdomain com tls status conditions last transition time 2025 03 24t16 03 32z message certificate is up to date and has not expired observed generation 1 reason ready status true type ready not after 2025 06 22t15 05 00z not before 2025 03 24t15 05 01z renewal time 2025 05 23t15 05 00z revision 1 events type reason age from message \ normal issuing 29m cert manager certificates trigger issuing certificate as secret does not exist normal generated 29m cert manager certificates key manager stored new private key in temporary secret resource "yourdomain com wjmmm" normal requested 29m cert manager certificates request manager created new certificaterequest resource "yourdomain com 1" normal issuing 26m cert manager certificates issuing the certificate has been successfully issued conclusion you have successfully set up and managed tls certificates using the cert manager widget and dns service this ensures that your web server is secure and your data is protected for more information, refer to the cert manager official documentation and the ionos cloud dns https //docs ionos com/cloud/network services/cloud dns documentation