If you use DNSPod to manage your domain names and want to automatically issue free certificates for domain names in Kubernetes, you can use cert-manager to this end:
cert-manager supports many DNS providers but not DNSPod. However, it offers a webhook to support more providers, and support for DNSPod is also implemented in the community. This document describes how to use cert-manager and cert-manager-webhook-dnspod to automatically issue free certificates for domain names in DNSPod.
We recommend you read Using cert-manager to Issue Free Certificates first.
Log in to the DNSPod console. In Key Management, create a key and copy the automatically generated ID
and Token
Install cert-manager. For more information, please see Using cert-manager to Issue Free Certificates.
Use HELM to install cert-manager-webhook-dnspod. You need to prepare the HELM configuration file.
Below is a sample dnspod-webhook-values.yaml
:
groupName: example.your.domain # Enter a custom group name
secrets: # Paste the generated ID and token below
apiID: "<id>"
apiToken: "<token>"
clusterIssuer:
enabled: true # Automatically create a ClusterIssuer
email: your@email.com # Enter your email address
For the complete configuration, please see values.yaml.
Use HELM for installation:
git clone --depth 1 https://github.com/qqshfox/cert-manager-webhook-dnspod.git
helm upgrade --install -n cert-manager -f dnspod-webhook-values.yaml cert-manager-webhook-dnspod ./cert-manager-webhook-dnspod/deploy/cert-manager-webhook-dnspod
Use the following YAML file to create a Certificate
object to issue a free certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com-crt
namespace: istio-system
spec:
secretName: example-com-crt-secret # The certificate is stored in this secret
issuerRef:
name: cert-manager-webhook-dnspod-cluster-issuer # The automatically generated ClusterIssuer is used here
kind: ClusterIssuer
group: cert-manager.io
dnsNames: # Enter the list of domain names for which to issue certificates. Ensure that all the domain names are managed by DNSPod
- example.com
- test.example.com
If the status becomes READY
, the certificate is successfully issued:
$ kubectl -n istio-system get certificates.cert-manager.io
NAME READY SECRET AGE
example-com-crt True example-com-crt-secret 25d
If the issuance fails, you can run describe
to view the cause:
kubectl -n istio-system describe certificates.cert-manager.io example-com-crt
After the certificate is successfully issued, it will be stored in the specified Secret
as follows:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: test.example.com
http:
paths:
- path: /
backend:
serviceName: web
servicePort: 80
tls:
hosts:
- test.example.com
secretName: example-com-crt-secret # Reference the certificate secret
Was this page helpful?