[VC-35411] AWS + EKS + Route53 + Let's Encrypt tutorial #1544
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cert-manager-prow
bot
added
do-not-merge/work-in-progress
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
wallrj
force-pushed
the
aws-eks-route53-letsencrypt-tutorial
branch
5 times, most recently
from
311ad4f
to
41774e8
Compare
wallrj
changed the title
wallrj
force-pushed
the
aws-eks-route53-letsencrypt-tutorial
branch
from
41774e8
to
dccddf0
Compare
cert-manager-prow
bot
added
size/XL
wallrj
force-pushed
the
aws-eks-route53-letsencrypt-tutorial
branch
5 times, most recently
from
4691cec
to
165a27a
Compare
wallrj
changed the title
cert-manager-prow
bot
removed
the
do-not-merge/work-in-progress
wallrj
commented
Sep 4, 2024
There was a problem hiding this comment.
| > according to the Amazon's [EKS Best Practices Guide](https://aws.github.io/aws-eks-best-practices/). | ||
| > Consider using the [AWS Load Balancer Controller](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html) instead. | ||
|
|
||
| The stable DNS host name of the load balancer can be used as an alias for the `www` record in your chosen `$DOMAIN_NAME` |
There was a problem hiding this comment.
While I think its overkill to cover it in detail in this guide, do we want to mention that automation solutions like ExternalDNS exist that can automate DNS for Kubernetes services/ingress/gateway?
SgtCoDFish
approved these changes
Sep 5, 2024
There was a problem hiding this comment.
/lgtm
/approve
/hold
This is a great addition! I haven't run it myself because I don't have easy access to an AWS environment or the time to start, but it looks like how I'd expect.
I don't see any blockers really. I have a few suggestions so I've added a hold in case you want to add them and re-request a review!
Comment on lines
25
to
29
| In the first part of this tutorial you will learn the basics required to deploy an HTTPS website on an Amazon Elastic Kubernetes Service (EKS) cluster, using cert-manager to create the SSL certificate for the web server. | ||
| You will create a DNS domain for your website, create an EKS cluster, install cert-manager, create an SSL certificate and then deploy a web server which responds to HTTPS requests from clients on the Internet. | ||
| But the SSL certificate in part 1 is only for testing purposes. | ||
|
|
||
| In part 2 you will learn how to configure cert-manager to use Let's Encrypt and Route53 DNS to create a trusted SSL certificate which you can use in production. |
There was a problem hiding this comment.
suggestion (non-blocking): The line "But the SSL certificate in part 1 is only for testing purposes." doesn't really flow with the rest of the text IMO. How about a minor tweak?
Suggested change
| In the first part of this tutorial you will learn the basics required to deploy an HTTPS website on an Amazon Elastic Kubernetes Service (EKS) cluster, using cert-manager to create the SSL certificate for the web server. | |
| You will create a DNS domain for your website, create an EKS cluster, install cert-manager, create an SSL certificate and then deploy a web server which responds to HTTPS requests from clients on the Internet. | |
| But the SSL certificate in part 1 is only for testing purposes. | |
| In part 2 you will learn how to configure cert-manager to use Let's Encrypt and Route53 DNS to create a trusted SSL certificate which you can use in production. | |
| In the first part of this tutorial you will learn the basics required to deploy an HTTPS website on an Amazon Elastic Kubernetes Service (EKS) cluster, using cert-manager to create the SSL certificate for the web server. | |
| You will create a DNS domain for your website, create an EKS cluster, install cert-manager, create an SSL certificate and then deploy a web server which responds to HTTPS requests from clients on the Internet. | |
| The SSL certificate in part 1 is only for testing purposes; in part 2 you will learn how to configure cert-manager to use Let's Encrypt and Route53 DNS to create a trusted SSL certificate which you can use in production. |
| ELB_CANONICAL_HOSTED_ZONE_NAME=$(kubectl get svc helloweb --output=jsonpath='{ .status.loadBalancer.ingress[0].hostname }') | ||
| aws elb describe-load-balancers --query "LoadBalancerDescriptions[?CanonicalHostedZoneName == '$ELB_CANONICAL_HOSTED_ZONE_NAME'] | [0]" \ | ||
| | jq '{ | ||
| "Comment": "Creating a CNAME record", |
There was a problem hiding this comment.
suggestion: The reference to a CNAME in this comment might be a little jarring for newbies given the action references an A record and we're talking about alias records.
Suggested change
| "Comment": "Creating a CNAME record", | |
| "Comment": "Creating an alias record", |
Comment on lines
355
to
354
| > ⚠️ We used curl's `--insecure` option because it rejects self-signed certificates by default. | ||
| > Later you will learn how to create a trusted certificate signed by Let's Encrypt. |
There was a problem hiding this comment.
suggestion: This doesn't quite read right (it sounds like it's the insecure flag which rejects self signed certs).
Suggested change
| > ⚠️ We used curl's `--insecure` option because it rejects self-signed certificates by default. | |
| > Later you will learn how to create a trusted certificate signed by Let's Encrypt. | |
| > ⚠️ We used curl's `--insecure` option because curl will reject the untrusted certificate we generated otherwise. | |
| > Later you will learn how to create a trusted certificate signed by Let's Encrypt. |
cert-manager-prow
bot
added
do-not-merge/hold
wallrj
force-pushed
the
aws-eks-route53-letsencrypt-tutorial
branch
from
165a27a
to
5126c26
Compare
Signed-off-by: Richard Wall <[email protected]>
wallrj
force-pushed
the
aws-eks-route53-letsencrypt-tutorial
branch
from
5126c26
to
43ed665
Compare
|
@SgtCoDFish I made those changes and added a link to ExternalDNS. PTAL. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
cert-manager-prow
bot
removed
the
do-not-merge/hold
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Preview: https://deploy-preview-1544--cert-manager.netlify.app/docs/tutorials/getting-started-aws-letsencrypt/
I've written this tutorial:
The content is largely copied from the Azure AKS tutorial.