Open in app

Sign in

Write

Sign in

Cert Manager in Kubernetes with external DNS provider

Dipto Chakrabarty
4 min readSep 2, 2021

Kubernetes is an open source platform for managing containerised applications. It helps us deploy,scale and manage multiple containerised applications easily.

In this post we are going to understand to add SSL certificates to our kubernetes provisioned ingress using an external dns provider in AWS.

Pre-Requisites

To follow along you will need

  • A kubernetes cluster
  • Permissions to create namespaces , resources and delete and modify them
  • If you are using a cloud provider you will need IAM role permissions to create loadbalancers
  • AWS cli has to be configured

I am using an kubernetes cluster created by kops in AWS , currently I am the following rules

  • Full VPC access
  • Full S3 access
  • Full ec2 access access

We need to add ALB loadbalancer permissions for the kops user role (the IAM user you have configured kops with).

First create an IAM policy which provides permissions to create loadbalancers , destroy them etc, the official documentation of aws provides us with a simple json file to do that.

  • Download the json in your preferred directory

curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.0/docs/install/iam_policy.json

  • Next create the policy using the aws cli

aws iam create-policy policy-name ALBIngressControllerIAMPolicy policy-document file://iam_policy.json

  • The output provides a arn which we need to attach to the roles given by kops to our worker nodes.
  • If the name of your cluster is dev.example.k8s.local the IAM role assigned by kops to it will be like nodes.dev.example.k8s.local.
  • Attach the arn received from the custom policy to that role

aws iam attach-role-policy — policy arn:aws:iam::700236730376:policy/ALBIngressControllerIAMPolicy — role-name nodes.dev.example.k8s.local

This way we will get permissions to add ingress in our cluster.

Add Ingress Controller for AWS

In your cluster apply the following command to attach ingress controller

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.35.0/deploy/static/provider/aws/deploy.yaml

This will create a new namespace in your cluster

To view the pods in your ingress-nginx namespace run the following command

kubectl get pods -n ingress-nginx

The ingress also creates a loadbalancer which it uses to route traffic which can be viewed by viewing the services in the ingress-nginx namespace

LoadBalancer CNAME provided

The loadbalancer can be viewed from AWS also.

Now our ingress controller is ready now we have to add cert manager and create certificates

Add Cert Manager

To add cert manager we have a helm chart which can be installed in the cluster that takes care of setting up all the required things for cert manager.

First create a namespace

kubectl create namespace cert-manager

Add the helm repo to the cluster and update it

helm repo add jetstack https://charts.jetstack.io
helm repo update
The jetstack is the certmanager one

Next install the charts

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.3.0 \
   --set installCRDs=true
Pods created in the namespace

Now we have to create a issuer which will handle creating the required certificates and secrets for our ingress.

This creates certificates using lets encrypt staging server

To issue certificates we are using lets encrypt which performs an acme challenge and verifies the authenticity of the details provided.

In the image above we are using the lets encrypt staging server to issue certificates , to issue real certificates use the below commented server line.

Issuer created

To get ssl in our ingress we have to reference this issuer in our ingress resources.

Creating Ingress for our Services

Once we have created our deployment and service we can setup our ingress

The issuer is referenced using an annotation of cert-manager.io/issuer.

We add a block of tls with the name of our desired host and a certificate secret file which is created on its own

To get it up and running as the last step add your ingress loadbalancer domain name as a CNAME in your domain provider (go daddy , ionos etc) .

Make sure to add a CNAME under the subdomain you want , for example in this case app subdomain of example.com CNAME points to the loadbalancer host name we obtained after setting up ingress controller.

This will add SSL to your site which you can later modify by modifying both the entered CNAME in domain provider and ingress.

To view the yaml files and some more instructions and cool hacks check the resources in this link in the repository . CLICK HERE FOR RESOURCES

Kubernetes
DevOps
Nginx
Ssl
Docker

--

--

Dipto Chakrabarty

Written by Dipto Chakrabarty

74 Followers

Site Reliability Engineer , I talk about Devops Backend and AI. Tech Doctor making sure to diagnose and make your apps run smoothly in production.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams