Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster

Deepfactor portal requires a TLS certificate to encrypt traffic between the portal and your applications running with Deepfactor enabled. This articles describes the steps needed to generate an AWS private CA certificate.

1. Install Cert Manager #

helm repo add jetstack https://charts.jetstack.io
  kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml
  helm install 
  cert-manager jetstack/cert-manager 
  --namespace cert-manager 
  --create-namespace 
  --version v1.6.1 
  --set prometheus.enabled=false

 

2. Create an IAM OIDC provider for your cluster #

https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

 

3. Create a service account for AWS PCA issuer and add helm #

In the following example, pls replace the AWS zone as applicable.

eksctl create iamserviceaccount 
   --region=us-east-2 
   --cluster=qa-test-awspca 
   --namespace=aws-pca-issuer 
   --name=aws-pca-issuer 
   --attach-policy-arn=arn:aws:iam::<Your Account ID>:policy/certificate-manager-policy 
   --override-existing-serviceaccounts --approve

 

4. Install Helm Chart For AWS PCA #

helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer 
  helm repo update 
  helm install aws-pca-issuer awspca/aws-privateca-issuer -n aws-pca-issuer --set serviceAccount.create=false --set serviceAccount.name=aws-pca-issuer

 

5. Create deepfactor namespace #

kubectl create ns deepfactor

 

6. Create issuer for AWS PCA #

cat <<EOF | kubectl -n deepfactor apply -f -
  apiVersion: awspca.cert-manager.io/v1beta1
  kind: AWSPCAIssuer
  metadata:
    name: df-awspcs-issuer
  spec:
    arn: arn:aws:acm-pca:us-east-2:<Your Account ID>:certificate-authority/b7a66d42-65da-4970-9ebe-429988b68430
    region: us-east-2
  EOF

 

7. Create certificate for the portal #

Create yaml for Certificate as follows.

kind: Certificate
  apiVersion: cert-manager.io/v1
  metadata:
    name: app.deepfactor.io
  spec:
    commonName: app.deepfactor.io
    dnsNames:
      - app.deepfactor.io
    duration: 2160h0m0s
    issuerRef:
      group: awspca.cert-manager.io
      kind: AWSPCAIssuer
      name: df-awspcs-issuer
    renewBefore: 360h0m0s
    secretName: app.deepfactor.io
    usages:
      - server auth
      - client auth
    privateKey:
      algorithm: "RSA"
      size: 2048

 

Use the following commands to create the certificate using the file (cert.yaml) created above

kubectl -n deepfactor apply -f cert.yaml

 

8. Check certificate status #

alice@localhost:~$ kubectl -n deepfactor get certificate 
  NAME                READY    SECRET                 AGE 
  app.deepfactor.io   True     app.deepfactor.io      13s

 

Next steps #

Continue installation of Deepfactor Portal using Helm

Was this article helpful?

Powered by BetterDocs