Using Cert-manager + rout53 With Kiam

10 Sep, 2020 #Kiam #Cert-Manager #K8s

As described here: https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role, First you need to create a role, for example `dns-manager`.

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Effect": "Allow",
 6      "Action": "route53:GetChange",
 7      "Resource": "arn:aws:route53:::change/*"
 8    },
 9    {
10      "Effect": "Allow",
11      "Action": [
12        "route53:ChangeResourceRecordSets",
13        "route53:ListResourceRecordSets"
14      ],
15      "Resource": "arn:aws:route53:::hostedzone/*"
16    },
17    {
18      "Effect": "Allow",
19      "Action": "route53:ListHostedZonesByName",
20      "Resource": "*"
21    }
22  ]
23}

You can replace the * in arn:aws:route53:::hostedzone/* with a specific zone id.

Use cert-manager with out kiam

If you didn't use kiam, you just need to allow the instance(role) to assume this role. Attach this policy to the instance role

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Action": "sts:AssumeRole",
 6      "Principal": {
 7        "AWS": <role-arn>
 8      },
 9      "Effect": "Allow"
10    }
11  ]
12}

Replace the <role-arn> to the instance role.

And then define a ClusterIssuer , and tell the issuer to assume this role to manage the zone.

 1apiVersion: cert-manager.io/v1
 2kind: ClusterIssuer
 3metadata:
 4  name: letsencrypt-prod
 5spec:
 6  acme:
 7    .... other options
 8    - selector:
 9        dnsZones:
10          - "example.com"
11      dns01:
12        route53:
13          region: us-east-1
14          hostedZoneID: DIKER8JEXAMPLE # optional, see policy above
15          role: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager

Use cert-manager with kiam

You need to get kiam work first. And then We need to allow kiam server to assume the dns-manager role. Attach this policy to kiam server role.

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Action": "sts:AssumeRole",
 6      "Principal": {
 7        "AWS": <role-arn>
 8      },
 9      "Effect": "Allow"
10    }
11  ]
12}

Replace the <role-arn> to kiam server role arn.

Define a ClusterIssuer , this time we didn't need to assume the role to get it work.

 1apiVersion: cert-manager.io/v1
 2kind: ClusterIssuer
 3metadata:
 4  name: letsencrypt-prod
 5spec:
 6  acme:
 7    .... other options
 8    - selector:
 9        dnsZones:
10          - "example.com"
11      dns01:
12        route53:
13          region: us-east-1
14          hostedZoneID: DIKER8JEXAMPLE # optional, see policy above

But we need to add an annotation to cert-manager pod.

1iam.amazonaws.com/role: <role-arn>

Replace the <role-arn> to the role arn of dns-manager .