Articles in this section

Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster Follow

Avatar
Deepfactor Support
  • Updated

Deepfactor portal requires a TLS certificate to encrypt traffic between the portal and your applications running with Deepfactor enabled. This articles describes the steps needed to generate an AWS private CA certificate.

1. Install Cert Manager

helm repo add jetstack https://charts.jetstack.io
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.6.1 \
--set prometheus.enabled=false

2. Create an IAM OIDC provider for your cluster

https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

3. Create a service account for AWS PCA issuer and add helm

In the following example, pls replace the AWS zone as applicable.

eksctl create iamserviceaccount \
 --region=us-east-2 \
 --cluster=qa-test-awspca \
 --namespace=aws-pca-issuer \
 --name=aws-pca-issuer \
 --attach-policy-arn=arn:aws:iam::<Your Account ID>:policy/certificate-manager-policy \
 --override-existing-serviceaccounts --approve

4. Install Helm Chart For AWS PCA

helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer 
helm repo update 
helm install aws-pca-issuer awspca/aws-privateca-issuer -n aws-pca-issuer --set serviceAccount.create=false --set serviceAccount.name=aws-pca-issuer

5. Create deepfactor namespace

kubectl create ns deepfactor

6. Create issuer for AWS PCA

cat <<EOF | kubectl -n deepfactor apply -f -
apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAIssuer
metadata:
  name: df-awspcs-issuer
spec:
  arn: arn:aws:acm-pca:us-east-2:<Your Account ID>:certificate-authority/b7a66d42-65da-4970-9ebe-429988b68430
  region: us-east-2
EOF

7. Create certificate for the portal

Create yaml for Certificate as follows.

kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  name: app.deepfactor.io
spec:
  commonName: app.deepfactor.io
  dnsNames:
    - app.deepfactor.io
  duration: 2160h0m0s
  issuerRef:
    group: awspca.cert-manager.io
    kind: AWSPCAIssuer
    name: df-awspcs-issuer
  renewBefore: 360h0m0s
  secretName: app.deepfactor.io
  usages:
    - server auth
    - client auth
  privateKey:
    algorithm: "RSA"
    size: 2048

 

Use the following commands to create the certificate using the file (cert.yaml) created above

kubectl -n deepfactor apply -f cert.yaml

 

8. Check certificate status

alice@localhost:~$ kubectl -n deepfactor get certificate 
NAME                READY    SECRET                 AGE 
app.deepfactor.io   True     app.deepfactor.io      13s


Next steps

Continue installation of Deepfactor Portal using Helm 

Related articles

Comments

0 comments

Please sign in to leave a comment.