How Do I configure Okteto with AWS Certificate Manager?

How Do I?
1

How do I configure the Okteto wildcard certificate with AWS Certificate Manager?

2

Okteto requires your wildcard certificate to be available in the cluster for internal https communication. This is not possible with AWS Certificate Manager.

What we recommend is to configure the Okteto Nginx Controller with a Service of type ClusterIP and create your own service redirecting to the Okteto Nginx controller with the right AWS annotations.

To do that, add the following configuration to your Okteto helm values file:

ingress-nginx:
  controller:
    config:
      use-forwarded-headers: "true"
    service:
      type: ClusterIP
      externalTrafficPolicy: ""

If you are in Kubernetes < 1.24, specify the cluster runtime like this:

wildcardCertificate:
  runtime: docker

and create the additional Service based on the following YAML:

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: << CERTIFICATE_ARN >>
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    service.beta.kubernetes.io/aws-load-balancer-type: elb
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: TCP
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port	
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: ingress-nginx
  name: okteto-ext
  namespace: okteto
spec:
  allocateLoadBalancerNodePorts: true
  externalTrafficPolicy: Local
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    port: 443
    protocol: TCP
    targetPort: http
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: okteto
    app.kubernetes.io/name: ingress-nginx
  sessionAffinity: None
  type: LoadBalancer
3

Starting in Okteto 1.5.0, Okteto now fully supports using AWS Certificate Manager and an AWS Network Load Balancer (NLB)

  1. Create a certificate using AWS Certificate Manager
  2. Restore the default certificate configuration by removing the section wildcardCertificate from your Okteto helm values file (in case you had this before)
  3. Configure the Okteto Nginx Controller to create a load balancer that uses your certificate. with the right annotations. To do that, add the following configuration to your Okteto helm values file.
ingress-nginx:
  controller:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: nlb
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <<your-certificate-arn>>
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
        service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" 
        service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred
  1. (Required if you are NOT using aws load balancer controller) Setup ALPN policy to HTTP2Preferred in the AWS NLB TLS listener at port 443. Use the official AWS Docs for instructions on how to do this using the console or through the AWS CLI.
1 Like