Wildcard Let's Encrypt certs on Kubernetes with Traefik

k8s · k3s · SSL

Get wildcard Let's Encrypt certificates for your sites with style.

Ingredients

For this recipe we will need:

  • A VPS instance or other server preferably with 1GB ram
  • AWS Route 53 DNS zone
  • A kubernetes cluster. In our case k3s
  • cert-manager
Heads-up: Guide below works as a checklist to achieve what is stated and assumes familiarity with Kubernetes and AWS. Solution is based on Cert-Manager

Steps

  1. First get a server :smile: Scaleway, Amazon Lightsail, DigitalOcean and Vultr are among the popular and affordable choices. You can get a decent VPS for as less as maybe 6$/mo (at the time of this writing) that will easily get the job done.

  2. Choose your favorite distro. This exercise has been done on Ubuntu 18.04 but other distros will also work fine. Just pick your favorite one and install your k3s server.

  3. Head over to k3s.io and follow the recommended method to install a single node k3s directly on your host.

    bash
    curl -sfL https://get.k3s.io | sh -
# Check for Ready node, takes maybe 30 seconds
k3s kubectl get node

  4. Since k3s comes with traefik ingress controller baked-in, you can go ahead and create an ingress for your domain right away. This example from the documentation will get you started.

    traefik UI service & ingress yaml
    apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  rules:
  - host: traefik-ui.minikube
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web

  5. Create your DNS record sets to match your domain and static IP on AWS Route 53. While you are here note your AWS_HOSTED_ZONE_ID

  6. In the IAM console of AWS create a user with administrator access to your AWS account.

  7. Note the AWS_ACCESS_KEY_ID & the AWS_SECRET_ACCESS_KEY for the account you created in the previous step.

  8. Deploy Cert-manager on your cluster

  9. Configure DNS01 challenge (recommended)

  10. You should end up with an Issuer yaml file like this. Apply and enjoy :tada:

cert-manager issuer yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
...
spec:
acme:
...
solvers:
- selector:
  dnsZones:
  - 'example.com'
- dns01:
  # Valid values are None and Follow
  cnameStrategy: Follow
  route53:
    region: eu-central-1
    accessKeyID: <Access ID for less-privileged.example.org here>
    hostedZoneID: <Zone ID for less-privileged.example.org here>
    secretAccessKeySecretRef:
      ...