By default Kublr using an HTTP solver in Certmanager Let's Encrypt (https://cert-manager.io/docs/configuration/acme/http01/). Default clusterissuer named letsencrypt is created automatically on Certmanager installation.

In some cases you cannot use HTTP solver (firewall rules for ingress, HTTPS-only policy, air-gaped environment, etc). Certmanager and Let's Encrypt provide DNS01 challenge solver configuration (https://cert-manager.io/docs/configuration/acme/dns01/).

Prerequisites

Let's Encrypt DNS validation with AWS Route53

  1. Got to AWS Route53 and get AWS Route53 HostedZoneID for your domain
  2. Create AWS Secret in the target Kubernetes cluster in the CertManager namespace (usually kube-system) for CertManager to be able to access Route53

    $ kubectl create secret -n kube-system generic aws-route-53-access-key --from-literal=secret-access-key='SuperSecretKeyForAWS'

    You can create this secret via Kublr Cluster spec or use plaintext secret in clusterissuer


Kublr Cluster Specification Adjustments to Use Let's Encrypt DNS solver

Note that the following spec is not a full cluster specification, it only includes excerpts that have to be added to a full cluster specification in order to set up Let's Encrypt DNS validation.

spec:
...
  packages:
    route-53-issuer:
      releaseName: route-53-issuer
      namespace: kube-system
      helmVersion: 3.2.1
      chart:
        name: raw
        repoUrl: 'https://charts.helm.sh/incubator/packages'
        version: 0.2.5
      values:
        resources:
          - apiVersion: cert-manager.io/v1alpha2
            kind: ClusterIssuer
            metadata:
              name: letsencrypt-route53
            spec:
              acme:
                email: {{ ACME_ACCOUNT_EMAIL }}
                privateKeySecretRef:
                  name: letsencrypt-route53
                server: 'https://acme-v02.api.letsencrypt.org/directory'
                solvers:
                  - dns01:
                      route53:
                        accessKeyID: {{ AWS_ACCESS_KEY_ID }}
                        hostedZoneID: {{ ROUTE_53_HOSTED_ZONE_ID }}
                        region: global
                        secretAccessKeySecretRef:
                          name: aws-route-53-access-key
                          key: secret-access-key
         # Optionally, if you create secret manually on step 2
          - apiVersion: v1
            kind: Secret
            type: Opaque
            metadata:
              name: aws-route-53-access-key
            data:
              secret-access-key: {{BASE64_ENCODED_ACCESS_KEY }}

Change default issuer for certmanager:

spec:
...
  features:
    ingress:
      values:
        certmanager:
          ingressShim:
            defaultIssuerName: letsencrypt-route53
...

How to use different cert solvers in the same cluster

You can manually define which cert issuer to use for specific ingress rules using annotations:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-route53
    kubernetes.io/tls-acme: "true"
...


cert-manager.io/cluster-issuer: letsencrypt-route53 # use DNS solver.
cert-manager.io/cluster-issuer: letsencrypt # use HTTP solver.