ACM Certificate + Route53 dns validation example / tutorial

aws-controllers-k8s / community

AWS Controllers for Kubernetes (ACK) is a project enabling you to manage AWS services from Kubernetes

https://aws-controllers-k8s.github.io/community/

Apache License 2.0

2.41k stars 254 forks source link

ACM Certificate + Route53 dns validation example / tutorial #1904

Open ecerulm opened 1 year ago

ecerulm commented 1 year ago

What is the URL of the document?

https://aws-controllers-k8s.github.io/community/docs/community/overview/

Which section(s) is the issue in?

Tutorials

What needs fixing?

A basic example on how to use the acm-controller should be provided.

Like creating a acm.services.k8s.aws/Certificate and how to use it together with aws-load-balancer-controller . In particular it would be great to include the DNS validation as well,

Additional context

I googled and can't find any example of the acm-controller.

So I think now my only options is to manually inspect the CRDs in acm-controller

Certificate

And then trying to guess how to use it, specially how to the DNS validation will be implemented.

indrekj commented 1 year ago

I also didn't find any examples, so here's one:

apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
  name: mydomain
spec:
  domainName: "mydomain.com"
  subjectAlternativeNames:
    - "*.mydomain.com"

This creates a certificate with two records. But I have no idea how to automate the route 53 verification, or if it is even possible atm.

peak-stephen commented 10 months ago

After skimming the code in https://github.com/aws-controllers-k8s/acm-controller/blob/v0.0.9/pkg/resource/certificate/sdk.go I don't think this resource controller is actually capable of verifying the certificates it requests. In order to do so it would need to also use the API of Route53 (or some other DNS provider) and at the moment it only uses the ACM API.

This was previously discussed here where @jaypipes said it's not planned, as there is/was also a route53 controller in the works.

john-r-swyftx commented 9 months ago

I can create a certificate with:

apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
  name: "mydomain"
spec:
  domainName: "mydomain.com"

and using the route53-controller, add the cname resource record for validation.

apiVersion: route53.services.k8s.aws/v1alpha1
kind: RecordSet
metadata:
  name: "mydomain-validation"
spec:
  hostedZoneID:<hosted-zone-id>
  recordType: CNAME
  name: <validation.ResourceRecord.name>
  resourceRecords:
    - value: <validation.ResourceRecord.value>
  ttl: 300

but I can't figure out how to fully automate this. Are there examples on how to do this?

lukasmrtvy commented 9 months ago

@john-r-swyftx Mutation webhook should do the trick then, see Kyverno for more info.

ack-bot commented 3 months ago

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot commented 1 month ago

Stale issues rot after 60d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 60d of inactivity. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle rotten