Route53 Certificates
If your cluster is not publicly accessible, you can leverage DNS validation to verify your Let's Encrypt certificate.
Prerequisites
- A Hydrolix cluster deployed on AWS.
- Route53-managed DNS zone for Hydrolix cluster hostname.
- AWS CLI installed on your local machine.
Create the Policy
Create a new policy, named ${HDX_KUBERNETES_NAMESPACE}-route53
, which allows route53 record changes:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
Run the following command to create the policy with the AWS CLI:
aws iam create-policy --policy-name "${HDX_KUBERNETES_NAMESPACE}-route53" --policy-document ${HDX_KUBERNETES_NAMESPACE}-route53
Attach that policy to the service account used by the Hydrolix cluster:
aws iam attach-role-policy --role-name "${HDX_KUBERNETES_NAMESPACE}-bucket" \
--policy-arn="arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${HDX_KUBERNETES_NAMESPACE}-route53"
Create a Certificate Issuer
Create an Issuer leveraging Let's Encrypt production certificate authority. The Issuer contains the following information:
- name - name of the issuer used to generate new certificate requests
- ACME server - server used to generate the ACME challenge
- email - email used for the certificate information
- solvers - used to validate ownership of the domain
The following configuration example generates a certificate using Let's Encrypt to validate the domain ownership using DNS and manages the creation of the proof via route53:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-production-route53
namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: $YOUREMAILMANAGINGCERTIFICATE - TO BE REPLACE
privateKeySecretRef:
name: letsencrypt-production-route53
solvers:
- selector:
dnsZones:
- "example.com" #TODO REPLACE WITH YOUR ZONE
dns01:
route53:
region: us-east-1 #TODO REPLACE WITH YOUR REGION
hostedZoneID: DIKER8JEXAMPLE #TODO REPLACE WITH YOUR ZONE ID
Store the configuration in the file issuer-prod-lets-enc-route53.yaml
. Use the following command to deploy it to your cluster:
kubectl apply -f issuer-prod-lets-enc-route53.yaml
Create a Certificate Request Configuration
After deploying your certificate issuer you can now create a new certificate request including your domain.
An important requirement for Hydrolix is to store the certificate into the secretName: traefik-tls
.
That's the default location used by Hydrolix to load the certificate.
Here's a configuration example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: $YOURNAMESPACE - TO BE REPLACE
namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
secretName: traefik-tls
issuerRef:
name: letsencrypt-production-route53
commonName: $YOURDOMAIN - TO BE REPLACE
dnsNames:
- $YOURDOMAIN - TO BE REPLACE
After generating this certificate request you can store it in the yaml file cert-req.yaml
and deploy it in your cluster:
kubectl apply -f cert-req.yaml
Return to the Add a Custom Certificate guide to validate your results.
Updated about 2 months ago