Cert Manager in Kubernetes with external DNS provider
Kubernetes is an open source platform for managing containerised applications. It helps us deploy,scale and manage multiple containerised applications easily.
In this post we are going to understand to add SSL certificates to our kubernetes provisioned ingress using an external dns provider in AWS.
Pre-Requisites
To follow along you will need
- A kubernetes cluster
- Permissions to create namespaces , resources and delete and modify them
- If you are using a cloud provider you will need IAM role permissions to create loadbalancers
- AWS cli has to be configured
I am using an kubernetes cluster created by kops in AWS , currently I am the following rules
- Full VPC access
- Full S3 access
- Full ec2 access access
We need to add ALB loadbalancer permissions for the kops user role (the IAM user you have configured kops with).
First create an IAM policy which provides permissions to create loadbalancers , destroy them etc, the official documentation of aws provides us with a simple json file to do that.
- Download the json in your preferred directory
curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.0/docs/install/iam_policy.json
- Next create the policy using the aws cli
aws iam create-policy policy-name ALBIngressControllerIAMPolicy policy-document file://iam_policy.json
- The output provides a arn which we need to attach to the roles given by kops to our worker nodes.
- If the name of your cluster is dev.example.k8s.local the IAM role assigned by kops to it will be like nodes.dev.example.k8s.local.
- Attach the arn received from the custom policy to that role
aws iam attach-role-policy — policy arn:aws:iam::700236730376:policy/ALBIngressControllerIAMPolicy — role-name nodes.dev.example.k8s.local
This way we will get permissions to add ingress in our cluster.
Add Ingress Controller for AWS
In your cluster apply the following command to attach ingress controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.35.0/deploy/static/provider/aws/deploy.yaml
This will create a new namespace in your cluster
To view the pods in your ingress-nginx namespace run the following command
kubectl get pods -n ingress-nginx
The ingress also creates a loadbalancer which it uses to route traffic which can be viewed by viewing the services in the ingress-nginx namespace
The loadbalancer can be viewed from AWS also.
Now our ingress controller is ready now we have to add cert manager and create certificates
Add Cert Manager
To add cert manager we have a helm chart which can be installed in the cluster that takes care of setting up all the required things for cert manager.
First create a namespace
kubectl create namespace cert-manager
Add the helm repo to the cluster and update it
helm repo add jetstack https://charts.jetstack.io
helm repo update
Next install the charts
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.3.0 \
--set installCRDs=true
Now we have to create a issuer which will handle creating the required certificates and secrets for our ingress.
To issue certificates we are using lets encrypt which performs an acme challenge and verifies the authenticity of the details provided.
In the image above we are using the lets encrypt staging server to issue certificates , to issue real certificates use the below commented server line.
To get ssl in our ingress we have to reference this issuer in our ingress resources.
Creating Ingress for our Services
Once we have created our deployment and service we can setup our ingress
The issuer is referenced using an annotation of cert-manager.io/issuer.
We add a block of tls with the name of our desired host and a certificate secret file which is created on its own
To get it up and running as the last step add your ingress loadbalancer domain name as a CNAME in your domain provider (go daddy , ionos etc) .
Make sure to add a CNAME under the subdomain you want , for example in this case app subdomain of example.com CNAME points to the loadbalancer host name we obtained after setting up ingress controller.
This will add SSL to your site which you can later modify by modifying both the entered CNAME in domain provider and ingress.
To view the yaml files and some more instructions and cool hacks check the resources in this link in the repository . CLICK HERE FOR RESOURCES
