How to launch nginx-ingress and cert-manager 0.6.2 in Kubernetes using AWS DNS Route53 Validation

Pablo Loschi
May 31, 2018 · 5 min read

At my job (in Fravega) we have been struggling for some days dealing with certificates. It turns out that we didn’t find an updated guide for this, so we decided to write our own.

Following this guide but with changes required for dns validation(needed for private ingress!) and to work with cert manager v0.6.2

This guide assumes that you have K8s cluster working with external dns and nginx-ingress-controller installed, the following steps are:

  1. Install helm
  2. Install cert manager
  3. Create a user in AWS with route53 permissions
  4. Create Staging ClusterIssuer with DNS validation
  5. Create Certificate
  6. Create a test Ingress

Install helm

Helm is a package manager for Kubernetes. It allows you to install packages of pre-configured Kubernetes resources and publish them as charts.

If you have already installed and setup kubectl to access your cluster, you can easily install helm following this instruction.

Install Cert Manager

The component which is responsible for obtaining and renewing certificates is cert-manager.

Its helm chart is not yet in a stable repo, so I recommend launching it from Github:

Usingcert-manager we set up a ClusterIssuer so that we can obtain TLS certificates.

The Certificate entity keeps information used to verify certificates for the current ClusterIssuer (Certificate Authority).
cert-manager communicates via ClusterIssuer (i.e. with Let’s Encrypt) to obtain a certificate and then creates a Secret in K8s, containting the generated certificate. These certificates will be used by the Ingress.

Create a user in AWS with route53 permissions

Cert-manager requires the following IAM policy.

Create Staging ClusterIssuer with DNS validation

Let’s Encrypt has two environments — staging and production. The staging environment issues certificates signed by ‘fake’ CAs, and has extended rate limits, so to ensure that everything works fine (and allow for some failures), I recommend using Let’s Encrypt staging api at first.

The difference between just Issuers and ClusterIssuers is that the latter are created on a cluster lever, not namespace level.

Create a file letsencrypt-staging-dns.yaml with the following data:

Create a text file with the secret-access-key and generate the secret:

kubectl create secret generic acme-route53 -n=kube-system --from-file=secret-access-key

Now run kubectl create -f letsencrypt-staging-dns.yaml, to create the ClusterIssuer.

You can verify that it’s created using kubectl get clusterissuers

You can also use describe instead of get to display more info and actual status.

Create Certificate

Create a file with the following data:

Create a test Ingress

Launch nginx in the default namespace and create a service for it.

Run kubectl run nginx --image nginx
and kubectl expose deploy nginx --port 80

You’ve just launched a pod with nginx in the default namespace with a service called nginx.

Create ingress.yaml

Run kubectl create -f ingress.yaml - we’ve just created the Ingress.
The certificate should be ready in about 30 seconds.

Now the whole traffic goes through https, and we’ve got certificates from Let’s Encrypt.

Move to Production

You will only need to change Letsencrypt endpoint from : to

Then change the name of the ClusterIssuer from:

letsencrypt-staging-dns to letsencrypt-production-dns

You can verify the cert using curl -v

That’s all :)

[OPTIONAL] Looking at the logs

You can use some tool like kubetail to get the logs and see what’s happening!

kubetail cert-manager -n cert-manager

So, that’s it. I hope you find it useful and the steps are easy to follow. Please comment and/or ask questions if I missed something — I’d love to get your feedback.

Pablo Loschi

Written by

Devops K8s and some random stuff from here and there. Berlin based

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade