How do I configure the Okteto wildcard certificate with AWS Certificate Manager?
Starting in Okteto 1.5.0, Okteto now fully supports using AWS Certificate Manager and an AWS Network Load Balancer (NLB)
- Create a certificate using AWS Certificate Manager using the domain
*.example.com, replacingexample.comwith thesubdomainyou are using in your Helm configuration file. - Restore the default certificate configuration by removing the section
wildcardCertificatefrom your Okteto helm values file (in case you had this before) - Configure the Okteto Nginx Controller to create a load balancer that uses your certificate. To do that, add the following configuration to your Okteto helm values file.
ingress-nginx:
controller:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <<your-certificate-arn>>
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred
- (Required if you are NOT using AWS load balancer controller) Setup ALPN policy to
HTTP2Preferredin the AWS NLB TLS listener at port 443. Use the official AWS Docs for instructions on how to do this using the console or through the AWS CLI.
1 Like
If this doesn’t appear to work, how would I troubleshoot it?
Hi @fsargent !
Could you try to run curl https://domainOfNLB -v first?
If you get something like:
HTTP/1.1 502 Bad Gateway
Try to do this steps in AWS:
- Go to EC2
- Go to Load Balancers
- find the same that you get from
kubectl get svc -n okteto | grep ingress-nginx | awk '{print $4}' - Listener TLS
- Edit Listener
- ALPN Policy → HTTP2 Preferred
This will take a few minutes to be ready, once you run the curl command again and you see GET HTTP 2
Let me know if that was your case, if not we can continue troubleshooting!