Deepfactor portal requires a TLS certificate to encrypt traffic between the portal and your applications running with Deepfactor enabled. This articles describes the steps needed to generate an AWS private CA certificate.
1. Install Cert Manager
helm repo add jetstack https://charts.jetstack.io
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.6.1 \
--set prometheus.enabled=false
2. Create an IAM OIDC provider for your cluster
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
3. Create a service account for AWS PCA issuer and add helm
In the following example, pls replace the AWS zone as applicable.
eksctl create iamserviceaccount \
--region=us-east-2 \
--cluster=qa-test-awspca \
--namespace=aws-pca-issuer \
--name=aws-pca-issuer \
--attach-policy-arn=arn:aws:iam::<Your Account ID>:policy/certificate-manager-policy \
--override-existing-serviceaccounts --approve
4. Install Helm Chart For AWS PCA
helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer
helm repo update
helm install aws-pca-issuer awspca/aws-privateca-issuer -n aws-pca-issuer --set serviceAccount.create=false --set serviceAccount.name=aws-pca-issuer
5. Create deepfactor namespace
kubectl create ns deepfactor
6. Create issuer for AWS PCA
cat <<EOF | kubectl -n deepfactor apply -f -
apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAIssuer
metadata:
name: df-awspcs-issuer
spec:
arn: arn:aws:acm-pca:us-east-2:<Your Account ID>:certificate-authority/b7a66d42-65da-4970-9ebe-429988b68430
region: us-east-2
EOF
7. Create certificate for the portal
Create yaml for Certificate as follows.
kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
name: app.deepfactor.io
spec:
commonName: app.deepfactor.io
dnsNames:
- app.deepfactor.io
duration: 2160h0m0s
issuerRef:
group: awspca.cert-manager.io
kind: AWSPCAIssuer
name: df-awspcs-issuer
renewBefore: 360h0m0s
secretName: app.deepfactor.io
usages:
- server auth
- client auth
privateKey:
algorithm: "RSA"
size: 2048
Use the following commands to create the certificate using the file (cert.yaml) created above
kubectl -n deepfactor apply -f cert.yaml
8. Check certificate status
alice@localhost:~$ kubectl -n deepfactor get certificate
NAME READY SECRET AGE
app.deepfactor.io True app.deepfactor.io 13s
Comments
Please sign in to leave a comment.