Skip to content

AWS Private CA Issuer

AWS Private CA is an AWS service that can setup and manage private CAs, as well as issue private certificates. This add-on deploys the AWS Private CA Issuer as an external issuer to cert-manager that signs off certificate requests using AWS Private CA in an Amazon EKS Cluster.

Usage

Pre-requisites

To deploy the AWS PCA, you need to install cert-manager first, refer to this documentation to do it through EKS Blueprints Addons.

Deployment

With cert-manager deployed in place, you can deploy the AWS Private CA Issuer Add-on via EKS Blueprints Addons, reference the following parameters under the module.eks_blueprints_addons.

module "eks_blueprints_addons" {

  enable_cert_manager         = true
  enable_aws_privateca_issuer = true
  aws_privateca_issuer = {
    acmca_arn        = aws_acmpca_certificate_authority.this.arn
  }
}

Helm Chart customization

It's possible to customize your deployment using the Helm Chart parameters inside the aws_load_balancer_controller configuration block:

  aws_privateca_issuer = {
    acmca_arn        = aws_acmpca_certificate_authority.this.arn
    namespace        = "aws-privateca-issuer"
    create_namespace = true
  }

You can find all available Helm Chart parameter values here.

Validation

  1. List all the pods running in aws-privateca-issuer and cert-manager Namespace.
kubectl get pods -n aws-privateca-issuer
kubectl get pods -n cert-manager
  1. Check the certificate status in it should be in Ready state, and be pointing to a secret created in the same Namespace.
kubectl get certificate -o wide
NAME      READY   SECRET                  ISSUER                    STATUS                                          AGE
example   True    example-clusterissuer   tls-with-aws-pca-issuer   Certificate is up to date and has not expired   41m

kubectl get secret example-clusterissuer
NAME                    TYPE                DATA   AGE
example-clusterissuer   kubernetes.io/tls   3      43m

Resources

GitHub Repo Helm Chart AWS Docs