How Do I configure Okteto with AWS Certificate Manager?

How do I configure the Okteto wildcard certificate with AWS Certificate Manager?

Okteto requires your wildcard certificate to be available in the cluster for internal https communication. This is not possible with AWS Certificate Manager.

What we recommend is to configure the Okteto Nginx Controller with a Service of type ClusterIP and create your own service redirecting to the Okteto Nginx controller with the right AWS annotations.

To do that, add the following configuration to your Okteto helm values file:

      use-forwarded-headers: "true"
      type: ClusterIP
      externalTrafficPolicy: ""

If you are in Kubernetes < 1.24, specify the cluster runtime like this:

  runtime: docker

and create the additional Service based on the following YAML:

apiVersion: v1
kind: Service
  annotations: << CERTIFICATE_ARN >> http '60' 'true' https elb TCP traffic-port /healthz
  labels: controller ingress-nginx
  name: okteto-ext
  namespace: okteto
  allocateLoadBalancerNodePorts: true
  externalTrafficPolicy: Local
  internalTrafficPolicy: Cluster
  - IPv4
  ipFamilyPolicy: SingleStack
  - name: http
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    port: 443
    protocol: TCP
    targetPort: http
  selector: controller okteto ingress-nginx
  sessionAffinity: None
  type: LoadBalancer

Starting in Okteto 1.5.0, Okteto now fully supports using AWS Certificate Manager and an AWS Network Load Balancer (NLB)

  1. Create a certificate using AWS Certificate Manager
  2. Restore the default certificate configuration by removing the section wildcardCertificate from your Okteto helm values file (in case you had this before)
  3. Configure the Okteto Nginx Controller to create a load balancer that uses your certificate. with the right annotations. To do that, add the following configuration to your Okteto helm values file.
      annotations: nlb ssl <<your-certificate-arn>> "https" "internet-facing" HTTP2Preferred
  1. (Required if you are NOT using aws load balancer controller) Setup ALPN policy to HTTP2Preferred in the AWS NLB TLS listener at port 443. Use the official AWS Docs for instructions on how to do this using the console or through the AWS CLI.
1 Like