How do I configure the Okteto wildcard certificate with AWS Certificate Manager?
Okteto requires your wildcard certificate to be available in the cluster for internal https communication. This is not possible with AWS Certificate Manager.
What we recommend is to configure the Okteto Nginx Controller with a Service of type ClusterIP
and create your own service redirecting to the Okteto Nginx controller with the right AWS annotations.
To do that, add the following configuration to your Okteto helm values file:
ingress-nginx:
controller:
config:
use-forwarded-headers: "true"
service:
type: ClusterIP
externalTrafficPolicy: ""
If you are in Kubernetes < 1.24, specify the cluster runtime like this:
wildcardCertificate:
runtime: docker
and create the additional Service based on the following YAML:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: << CERTIFICATE_ARN >>
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-type: elb
service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: TCP
service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: ingress-nginx
name: okteto-ext
namespace: okteto
spec:
allocateLoadBalancerNodePorts: true
externalTrafficPolicy: Local
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: okteto
app.kubernetes.io/name: ingress-nginx
sessionAffinity: None
type: LoadBalancer
Starting in Okteto 1.5.0, Okteto now fully supports using AWS Certificate Manager and an AWS Network Load Balancer (NLB)
- Create a certificate using AWS Certificate Manager
- Restore the default certificate configuration by removing the section
wildcardCertificate
from your Okteto helm values file (in case you had this before) - Configure the Okteto Nginx Controller to create a load balancer that uses your certificate. with the right annotations. To do that, add the following configuration to your Okteto helm values file.
ingress-nginx:
controller:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <<your-certificate-arn>>
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred
- (Required if you are NOT using aws load balancer controller) Setup ALPN policy to
HTTP2Preferred
in the AWS NLB TLS listener at port 443. Use the official AWS Docs for instructions on how to do this using the console or through the AWS CLI.
1 Like