Skip to content

TLS with AWS PCA Issuer

This pattern demonstrates how to enable TLS with AWS PCA issuer on an Amazon EKS cluster.


See here for the prerequisites and steps to deploy this pattern.


  1. List all the pods running in aws-privateca-issuer and cert-manager Namespace.

    kubectl get pods -n aws-privateca-issuer
    kubectl get pods -n cert-manager
  2. View the certificate status in the default Namespace. It should be in Ready state, and be pointing to a secret created in the same Namespace.

    kubectl get certificate -o wide
    NAME      READY   SECRET                  ISSUER                    STATUS                                          AGE
    example   True    example-clusterissuer   tls-with-aws-pca-issuer   Certificate is up to date and has not expired   41m
    kubectl get secret example-clusterissuer
    NAME                    TYPE                DATA   AGE
    example-clusterissuer   3      43m


terraform destroy -target="module.eks_blueprints_addons" -auto-approve
terraform destroy -target="module.eks" -auto-approve
terraform destroy -auto-approve

See here for more details on cleaning up the resources created.