Skip to main content

Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster

Deepfactor portal requires a TLS certificate to encrypt traffic between the portal and your applications running with Deepfactor enabled. This articles describes the steps needed to generate an AWS private CA certificate.

1. Install Cert Manager

helm repo add jetstack https://charts.jetstack.io
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.6.1 \
--set prometheus.enabled=false

2. Create an IAM OIDC provider for your cluster

https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

3. Create a service account for AWS PCA issuer and add helm

In the following example, pls replace the AWS zone as applicable.

eksctl create iamserviceaccount \
--region=us-east-2 \
--cluster=qa-test-awspca \
--namespace=aws-pca-issuer \
--name=aws-pca-issuer \
--attach-policy-arn=arn:aws:iam::<Your Account ID>:policy/certificate-manager-policy \
--override-existing-serviceaccounts --approve

4. Install Helm Chart For AWS PCA

helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer 
helm repo update
helm install aws-pca-issuer awspca/aws-privateca-issuer -n aws-pca-issuer --set serviceAccount.create=false --set serviceAccount.name=aws-pca-issuer

5. Create deepfactor namespace

kubectl create ns deepfactor

6. Create issuer for AWS PCA

cat <<EOF | kubectl -n deepfactor apply -f -
apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAIssuer
metadata:
name: df-awspcs-issuer
spec:
arn: arn:aws:acm-pca:us-east-2:<Your Account ID>:certificate-authority/b7a66d42-65da-4970-9ebe-429988b68430
region: us-east-2
EOF

7. Create certificate for the portal

Create yaml for Certificate as follows.

kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
name: app.deepfactor.io
spec:
commonName: app.deepfactor.io
dnsNames:
- app.deepfactor.io
duration: 2160h0m0s
issuerRef:
group: awspca.cert-manager.io
kind: AWSPCAIssuer
name: df-awspcs-issuer
renewBefore: 360h0m0s
secretName: app.deepfactor.io
usages:
- server auth
- client auth
privateKey:
algorithm: "RSA"
size: 2048

 

Use the following commands to create the certificate using the file (cert.yaml) created above

kubectl -n deepfactor apply -f cert.yaml

 

8. Check certificate status

alice@localhost:~$ kubectl -n deepfactor get certificate 
NAME READY SECRET AGE
app.deepfactor.io True app.deepfactor.io 13s


Next steps

Continue installation of Deepfactor Portal using Helm 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.