AWS Private CA Issuer¶
AWS Private CA is an AWS service that can setup and manage private CAs, as well as issue private certificates. This add-on deploys the AWS Private CA Issuer as an external issuer to cert-manager that signs off certificate requests using AWS Private CA in an Amazon EKS Cluster.
Usage¶
Pre-requisites¶
To deploy the AWS PCA, you need to install cert-manager first, refer to this documentation to do it through EKS Blueprints Addons.
Deployment¶
With cert-manager deployed in place, you can deploy the AWS Private CA Issuer Add-on via EKS Blueprints Addons, reference the following parameters under the module.eks_blueprints_addons
.
module "eks_blueprints_addons" {
enable_cert_manager = true
enable_aws_privateca_issuer = true
aws_privateca_issuer = {
acmca_arn = aws_acmpca_certificate_authority.this.arn
}
}
Helm Chart customization¶
It's possible to customize your deployment using the Helm Chart parameters inside the aws_load_balancer_controller
configuration block:
aws_privateca_issuer = {
acmca_arn = aws_acmpca_certificate_authority.this.arn
namespace = "aws-privateca-issuer"
create_namespace = true
}
You can find all available Helm Chart parameter values here.
Validation¶
- List all the pods running in
aws-privateca-issuer
andcert-manager
Namespace.
- Check the
certificate
status in it should be inReady
state, and be pointing to asecret
created in the same Namespace.
kubectl get certificate -o wide
NAME READY SECRET ISSUER STATUS AGE
example True example-clusterissuer tls-with-aws-pca-issuer Certificate is up to date and has not expired 41m
kubectl get secret example-clusterissuer
NAME TYPE DATA AGE
example-clusterissuer kubernetes.io/tls 3 43m