This guide will show you how to install cert-manager v1.4.0 and set up your cluster to issue Let's Encrypt certificates for your Coder installation so that you can enable HTTPS on your Coder deployment. It will also show you how to configure your Coder hostname and dev URLs.
We recommend reviewing the official cert-manager documentation if you encounter any issues or if you want info on using a different certificate issuer.
You must have:
You should also:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.yaml
Check that cert-manager installs correctly by running
kubectl get CustomResourceDefinition | grep cert-manager
You should see certificates, certificate requests, challenges, cluster issuers, issuers, and orders.
Next, check that your services are running in the cert-manager namespace
kubectl get all -n cert-manager NAME READY STATUS RESTARTS AGE cert-manager-7cd5cdf774-vb2pr 1/1 Running 0 84s cert-manager-cainjector-6546bf7765-ssxhf 1/1 Running 0 84s cert-manager-webhook-7f68b65458-zvzn9 1/1 Running 0 84s
Because Coder dynamically generates domains (specifically the dev URLs), your certificates need to be approved and challenged. The following steps will show you how to use Route 53 for DNS01 challenges.
If your domain name is managed by Route 53, the hosted zone will already exist so skip to step 3.
Log in to AWS Route 53. On the Dashboard, click Hosted Zone.
Click Create Hosted Zone. In the configuration screen, provide the
Domain name that you'll use for Coder (e.g.,
make sure that you've selected Public hosted zone. Click Create hosted
zone to proceed.
When your list of hosted zones refreshes, you'll see that your new records includes multiple values under Value/Route traffic to.
Log in to your DNS provider so that you can edit your NS records.
Edit your NS record to delegate your zones to AWS by sending each of the
values under Value/Route traffic to to your domain name (i.e., delegate
To make sure that your
clusterIssuer can change your DNS settings,
create the required IAM role
When you create the secret for cert-manager, referenced below as
route53-credentials be sure it is in the cert-manager namespace since it's
used by the cert-manager pod to perform DNS configuration changes.
Using the text editor of your choice, create a new
letsencrypt.yaml (you can name it whatever you'd like) that includes
your newly created IAM role:
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt spec: acme: email: [email protected] preferredChain: "" privateKeySecretRef: name: example-issuer-account-key server: https://acme-v02.api.letsencrypt.org/directory solvers: - dns01: route53: accessKeyID: your-access-key-ID #secret with IAM Role region: your-region secretAccessKeySecretRef: key: secret-access-key name: route53-credentials selector: dnsZones: - yourDomain.com
More information on the values in the YAML file above can be found in the dns01 solver configuration documentation.
Apply your configuration changes
kubectl apply -f letsencrypt.yaml
If successful, you'll see a response similar to
At this point, you're ready to install Coder.
However, to use all of the functionality you set up in this tutorial, use the
helm install command instead:
helm install coder coder/coder --namespace coder \ --version=<CODER_VERSION> \ --set devurls.host="*.coder.exampleCo.com" \ --set ingress.host="coder.exampleCo.com" \ --set ingress.tls.enable=true \ --set ingress.tls.devurlsHostSecretName=coder-devurls-cert \ --set ingress.tls.hostSecretName=coder-root-cert \ --set ingress.annotations."cert-manager\.io/cluster-issuer"="letsencrypt" \ --wait
devurlsHostSecretName are arbitrary strings that you
should set to some value that does not conflict with any other secrets in the
There are also a few additional steps to make sure that your hostname and dev URLs work.
Check the contents of your namespace:
kubectl get all -n <your_namespace> -o wide
Find the service/ingress-nginx line and copy its external IP value.
Return to Route53 and go to Hosted Zone.
Create a new record for your hostname; provide
coder as the record name and
paste the external IP as the
Create another record for your dev URLs: set it to
similar and use the same external IP as the previous step for
At this point, you can return to step 6 of the installation guide to obtain the admin credentials you need to log in. If you are not getting a valid certificate after redeploying, see cert-manager's troubleshooting guide for additional assistance.