KubeSecure: Mastering Let’s Encrypt SSL with Kubernetes and Route53

This guide will show you how to install cert-manager and set up your cluster to issue Let’s Encrypt certificates for you.

Step 1: Add cert-manager to your Kubernetes cluster

1. Create a namespace with name cert-manager

Create namespace cert-manager

2. Install cert-manager:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml -n cert-manager

3. Check that cert-manager installs correctly by running

kubectl get CustomResourceDefinition | grep cert-manager

4. Next, check that your services are running in the cert-manager namespace

kubectl get all -n cert-manager

Step 2: Delegate your domain names and set up DNS01 challenges

If your domain name is already managed by Route 53, the hosted zone will already exist so skip to step 3.

1. Log in to AWS Route 53. On the Dashboard, click Hosted Zone.

2. Click Create Hosted Zone. In the configuration screen, provide the Domain name that you’ll use for Coder (e.g., hello.example.com) and make sure that you’ve selected Public hosted zone. Click Create hosted zone to proceed.

3. When your list of hosted zones refreshes, you’ll see that your new records includes multiple values under Value/Route traffic to.

4. Log in to your DNS provider so that you can edit your NS records.

5. Edit your NS record to delegate your zones to AWS by sending each of the values under Value/Route traffic to to your domain name (i.e., delegate ns-X.awsdns-32.net to hello.example.com).

Step 3: Create an IAM User for clusterIssuer

To make sure that your clusterIssuer can change your DNS settings, create the required IAM User

Below is the policy that needs to be created and attached for the IAM user

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/<your hosted zone id>"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}

Create an accesskey for the IAM user

When you create the secret for cert-manager, referenced below as route53-credentials, be sure it is in the cert-manager namespace since it’s used by the cert-manager pod to perform DNS configuration changes:

kubectl --namespace cert-manager \
create secret generic route53-credentials \
--from-literal="secret-access-key=<YOUR-AWS-SECRET-ACCESS-KEY>"

Step 4: Create the ACME Issuer

1. Using the text editor of your choice, create a new configuration file called letsencrypt.yaml (you can name it whatever you’d like) that includes your newly created IAM role:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: <prefered_name>
spec:
acme:
email: <your@mailid>
preferredChain: ""
privateKeySecretRef:
name: <secret's_name>
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
route53:
accessKeyID: <Your_access_key_ID>
region: <Region_ID>
secretAccessKeySecretRef:
key: secret-access-key
name: route53-credentials
selector:
dnsZones:
- <Your_zone_name>

More information on the values in the YAML file above can be found in the dns01 solver configuration documentation.

2. Apply your configuration changes

kubectl apply -f letsencrypt.yaml

If successful, you’ll see a response similar to

clusterissuer.cert-manager.io/letsencrypt created

Step 5: Create a certificate

Note: If you are providing an ingress, certificates can be automatically created with an ingress annotation. See the cert-manager docs for details. If you are unsure whether you are using an ingress or not, continue with this step.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <preffered_name>
namespace: <namespace>
spec:
commonName: "*.hello.example.com"
dnsNames:
- "hello.example.com"
- "*.hello.example.com"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-dev-in
secretName: example-com-certs

Run the below Command

kubectl apply -f certificate.yaml

To get status update, tail the logs of your cert-manager pod

kubectl logs cert-manager-pod-name -n cert-manager -f

Now, you can check the hosted zone in route53 and you can see a new challenge has been created. Once it’s validated you can check your domain and can see that the domain is loading with SSL.

Learn the art of cert-manager installation for smooth Let’s Encrypt certificate issuance. Tackle DNS challenges with AWS Route 53 simplicity. Empower your DevOps workflow by crafting a savvy IAM User for clusterIssuer with spot-on permissions. Level up security and efficiency in just a few steps. AWS and DevOps enthusiasts, it’s time to conquer your cluster’s SSL setup with confidence!