How Do I configure Okteto with cert-manager and AWS Route53?

How Do I?
2

The recommended solution is to use IAM Roles for service accounts.

In order to do that, configure a role with the following policy permissions:

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
        }
    ]
}

Create an AWS IAM Role for the cert-manager service account. Replace the variables below with your own information.

eksctl create iamserviceaccount \
  --cluster $CLUSTER_NAME \
  --region $REGION \
  --name cert-manager \
  --namespace $RELEASE_NAMESPACE \
  --attach-policy-arn $POLICY_ARN \
  --role-name ${YOUR_ROLE_NAME} \
  --role-only \
  --approve

and add these options to your cert-manager Helm configuration file:

  extraArgs: [--issuer-ambient-credentials=true]
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: 'arn:aws:iam::<<aws-account-id>>:role/<<your-role-name>>'

Once your cert-manager is configured this way, create the following Issuer in the okteto namespace:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: okteto-letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:  "<<your-email>>"
    privateKeySecretRef:
      name: okteto-letsencrypt-acme
    solvers:
    - http01:
        ingress:
          serviceType: ClusterIP
          class: nginx
    - dns01:
        route53:            
          region: "<<your-cluster-region>>"

and the following Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: okteto-letsencrypt
spec:
 secretName: okteto-letsencrypt
 duration: 8760h0m0s
 renewBefore: 600h0m0s # 25d
 issuerRef:
   name: okteto-letsencrypt
   kind: Issuer
 dnsNames:
   - "*.<<your-okteto-subdomain>>"

Now, add the following to your Okteto Helm configuration file to tell Okteto and NGINX to use your certificate:

wildcardCertificate:
  create: false
  name: okteto-letsencrypt

ingress-nginx:
  controller:
    extraArgs:
      default-ssl-certificate: $(POD_NAMESPACE)/okteto-letsencrypt

Finally, upgrade your Okteto installation for the new configuration to be applied.

For troubleshooting, you can check the cert manager logs, and the events associated to the resources Challenge, Order and CertificateRequest.

1 Like