Available in Classic and VPC
This guide explains how to use cert-manager to obtain certificates from the Ncloud ACME server in a Kubernetes cluster.
This guide is based on cert-manager v1.x. Other ACME clients that comply with RFC 8555 are also available, but official technical support is provided only for cert-manager.
Before you start
After completing all the steps in ACME prerequisites, the following items must be ready.
- Issued EAB Key ID and EAB HMAC Key
kubectlusage permissions and cluster-admin permissions- DNS provider accounts and API permissions supported by cert-manager (see the list of supported items)
- When using an OV certificate, complete organization validation under Certificate Manager > Organization
Ncloud ACME server supports only DNS-01 validation. You need a DNS provider natively supported by cert-manager (such as AWS Route53, Cloudflare, Google Cloud DNS, Azure DNS, etc.) or a webhook-based solver.
Workflow
The certificate automation workflow using cert-manager is as follows:
User's browser
│ HTTPS
▼
Ingress
│ See tls.secretName
▼
K8s Secret (to store certificate)
▲ Automatic issuance/renewal
│
cert-manager
│ ACME DNS-01 challenge
▼
Ncloud ACME server ←→ DNS provider (automatic TXT record processing)
cert-manager attempts automatic renewal at two-thirds of the certificate's lifetime. To explicitly specify the renewal time, use Certificate.spec.renewBefore field.
Step 1: Install cert-manager
Run the following command to install cert-manager on the cluster.
kubectl apply -f \
https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml
After installation, wait until all Pods reach Running state.
kubectl get pods -n cert-manager
Sample output:
NAME READY STATUS RESTARTS
cert-manager-xxxx 1/1 Running 0
cert-manager-cainjector-xxxx 1/1 Running 0
cert-manager-webhook-xxxx 1/1 Running 0
Step 2: Create EAB Secret
Store the EAB HMAC key to be used for ACME account registration as a Kubernetes Secret. Replace [EAB_HMAC_KEY] with the actual value you received and run.
kubectl create secret generic ncp-acme-eab \
--from-literal secret="[EAB_HMAC_KEY]" \
-n cert-manager
The EAB key is single-use. Once used to register an account, it will be depleted and cannot be reused.
The ncp-acme-account-key secret created in Step 3 is your ACME account identification key. Be sure to back it up. If you lose your EAB key, you will need to request a new one and re-register your account.
Step 3: Create ClusterIssuer
cert-manager provides two issuer resources.
| Resources | Scope of application | Quickstart |
|---|---|---|
ClusterIssuer |
Entire cluster | When issuing certificates that are common to multiple namespaces (Recommended) |
Issuer |
Specific namespace | When issuers need to be separated by namespace |
This guide uses the generally recommended ClusterIssuer. Create clusterissuer.yaml file with the following content. Replace [EAB_KEY_ID], admin@example.com, solvers sections to suit your environment.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ncp-acme
spec:
acme:
server: https://acme.navercloudtrust.com/acme/directory
email: admin@example.com
privateKeySecretRef:
name: ncp-acme-account-key
externalAccountBinding:
keyID: "[EAB_KEY_ID]"
keySecretRef:
name: ncp-acme-eab
key: secret
solvers:
- dns01:
# Configure based on the DNS provider in use
# For detailed configuration, see the official cert-manager documentation.
# https://cert-manager.io/docs/configuration/acme/dns01/
After creating the file, run the following command to create the ClusterIssuer.
kubectl apply -f clusterissuer.yaml
After creation, verify the registration status. If the status of Ready is True, it is normal.
kubectl get clusterissuer ncp-acme
kubectl describe clusterissuer ncp-acme
Step 4: Request certificate
Create a certificate resource to request a certificate. Create certificate.yaml file with the following content.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: company-tls
namespace: default
spec:
secretName: company-tls-secret
issuerRef:
name: ncp-acme
kind: ClusterIssuer
dnsNames:
- www.example.com
- api.example.com
kubectl apply -f certificate.yaml
To view the issuance status, run the following command. Wait until the Ready status changes to True. It may take a few minutes to complete the DNS-01 challenge.
# View certificate issuance status
kubectl get certificate company-tls -n default
# View event details (identify the cause of error)
kubectl describe certificate company-tls -n default
kubectl describe certificaterequest -n default
# View the secret after issuance is complete
kubectl get secret company-tls-secret -n default
To reissue a certificate, delete the certificate resource and then recreate it.
kubectl delete -f certificate.yaml
kubectl apply -f certificate.yaml
Step 5: Apply Ingress
Apply the issued certificate to Ingress. Create ingress.yaml file with the following content.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: company-ingress
annotations:
cert-manager.io/cluster-issuer: "ncp-acme"
spec:
tls:
- hosts:
- www.example.com
secretName: company-tls-secret
rules:
- host: www.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: company-service
port:
number: 80
kubectl apply -f ingress.yaml
If you add cert-manager.io/cluster-issuer annotation to Ingress, cert-manager automatically requests and manages the certificate without requiring you to create a separate certificate resource. In this case, you may skip certificate.yaml creation in step 4.
Troubleshooting
| Items to check | Commands |
|---|---|
| View ClusterIssuer status | kubectl describe clusterissuer ncp-acme |
| View certificate status | kubectl describe certificate <name> -n <namespace> |
| CertificateRequest details | kubectl describe certificaterequest -n <namespace> |
| Challenge details (DNS-01 validation phase) | kubectl describe challenge -A |
| View the cert-manager logs | kubectl logs -n cert-manager -l app.kubernetes.io/name=cert-manager --tail=200 |
Security advisory
- Configure RBAC so that
ncp-acme-eabsecrets that store the EAB HMAC key and the ACME account keyncp-acme-account-keysecrets are accessible only within thecert-managernamespace. - Minimize access permissions to the secret that stores the DNS provider API key.
- We recommend granting only the minimum permissions required for the DNS service to the DNS provider API key.
- Do not commit secret resources directly to the Git repository. We recommend using sealed secrets or an external secret management tool.