In our EKS ecosystem there is a possibility to create a certificate issued via ACM Private CA. To do this we use (already implemented) https://github.com/cert-manager/cert-manager with https://github.com/cert-manager/aws-privateca-issuer module.
Let’s pretend we have an EKS cluster with some custom deployment. Usually to issue a certificate you can use Issuer or ClusterIssuer Kubernetes resource. The different is that ClusterIssuer you can use from any namespace. If we use aws-privateca-issuer module we must use AWSPCAIssuer or AWSPCAClusterIssuer.
On our platform the AWSPCAClisterIssuer already exists:
apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAClusterIssuer
metadata:
name: YOUR_NAME
spec:
arn: PRIVATE_CA_ARN
region: YOUR_REGION
But how to create a certificate? To do this we use a Certificate:
kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
name: MY_SUBDOMAIN
spec:
commonName: MY_SUBDOMAIN
dnsNames:
- MY_SUBDOMAIN
duration: 2160h0m0s
issuerRef:
group: awspca.cert-manager.io
kind: AWSPCAClusterIssuer
name: YOUR_NAME
renewBefore: 360h0m0s
secretName: MY_SUBDOMAIN
usages:
- server auth
- client auth
privateKey:
algorithm: "RSA"
size: 2048
Use "kubectl -n MY_NAMESPACE get certificate" and check the result:
NAME READY SECRET AGE
MY_SUBDOMAIN True MY_SUBDOMAIN 12s
The certificate is stored in a Secret. To view the details:
kubectl get secret MY_SUBDOMAIN -n MY_NAMESPACE -o 'go-template={{index .data "tls.crt"}}' | base64 --decode | openssl x509 -noout -text
