ProductPricingDocsBlog

Route53 Certificates

Suggest Edits

If your cluster is not publicly accessible, you can leverage DNS validation to verify your Let's Encrypt certificate.

Prerequisites

  • A Hydrolix cluster deployed on AWS.
  • Route53-managed DNS zone for Hydrolix cluster hostname.
  • AWS CLI installed on your local machine.

Create the Policy

Create a new policy, named ${HDX_KUBERNETES_NAMESPACE}-route53, which allows route53 record changes:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "route53:GetChange",
      "Resource": "arn:aws:route53:::change/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": "arn:aws:route53:::hostedzone/*"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    }
  ]
}

Run the following command to create the policy with the AWS CLI:

aws iam create-policy --policy-name "${HDX_KUBERNETES_NAMESPACE}-route53" --policy-document ${HDX_KUBERNETES_NAMESPACE}-route53

Attach that policy to the service account used by the Hydrolix cluster:

aws iam attach-role-policy --role-name "${HDX_KUBERNETES_NAMESPACE}-bucket" \
    --policy-arn="arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${HDX_KUBERNETES_NAMESPACE}-route53"

Create a Certificate Issuer

Create an Issuer leveraging Let's Encrypt production certificate authority. The Issuer contains the following information:

  • name - name of the issuer used to generate new certificate requests
  • ACME server - server used to generate the ACME challenge
  • email - email used for the certificate information
  • solvers - used to validate ownership of the domain

The following configuration example generates a certificate using Let's Encrypt to validate the domain ownership using DNS and manages the creation of the proof via route53:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-production-route53
  namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: $YOUREMAILMANAGINGCERTIFICATE - TO BE REPLACE
    privateKeySecretRef:
      name: letsencrypt-production-route53
    solvers:
    - selector:
        dnsZones:
          - "example.com" #TODO REPLACE WITH YOUR ZONE
      dns01:
        route53:
          region: us-east-1 #TODO REPLACE WITH YOUR REGION
          hostedZoneID: DIKER8JEXAMPLE #TODO REPLACE WITH YOUR ZONE ID

Store the configuration in the file issuer-prod-lets-enc-route53.yaml. Use the following command to deploy it to your cluster:

kubectl apply -f issuer-prod-lets-enc-route53.yaml

Create a Certificate Request Configuration

After deploying your certificate issuer you can now create a new certificate request including your domain.
An important requirement for Hydrolix is to store the certificate into the secretName: traefik-tls.
That's the default location used by Hydrolix to load the certificate.
Here's a configuration example:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: $YOURNAMESPACE - TO BE REPLACE
  namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
  secretName: traefik-tls
  issuerRef:
    name: letsencrypt-production-route53
  commonName: $YOURDOMAIN - TO BE REPLACE
  dnsNames:
  - $YOURDOMAIN - TO BE REPLACE

After generating this certificate request you can store it in the yaml file cert-req.yaml and deploy it in your cluster:

kubectl apply -f cert-req.yaml

Return to the Add a Custom Certificate guide to validate your results.

Updated 4 months ago