Configuring DNS, SSL, Ingress and Auto DevOps for a Custom Domain

Scenarios: Instructor-Led, Self-Paced

This section makes the following assumptions:

  • The domain being used is managed in AWS Route 53
  • That for a test setup it is OK to have the ELB to EKS Ingress traffic unencrypted.
  • That you will substitute your custom domain for the sample one (eks.devops4the.win) used in the exercise.

Additional Cost Estimates

For us-east-2

Item Estimated Cost Reduce or Eliminate
AWS Certificate Services (ACM) Cert Free
DNS Zone Record for Custom Domain $0.50/Mo Cannot be disabled, only destroying eliminates cost

AWS Route 53 Setup

  1. If the zone does not exist, in the AWS Route 53 console, Click Create hosted zone

  2. In ‘Domain name’ Type eks.devops4the.win (use your domain instead - it does not need to be a subdomain like this one)

  3. Select Public hosted zone

  4. Click Create hosted zone

  5. To create a wild card record for the domain, Click Create record

    1. For ‘Record name’ Type ***** (star character)
    2. On the right of the page, to the right of the word ‘Value’ Click Alias (toggle button)
    3. For the newly appeared ‘Route traffic to’ field, Click the small down arrow on the right
    4. In the ‘Drop down list’ Select Alias to Application and Classic Load Balancer
    5. In ‘Chose Region’ Click the small down arrow on the right
    6. In the ‘Drop down list’ Select us-east-2
    7. Click Choose load balancer
    8. Select The Load Balancer Associated With Your EKS Cluster Ingress IMPORTANT: If there is more than one load balancer, you can use the EC2 Load Balancer console and check the “Tags” tab of each one until you find one with a key named kubernetes.io/cluster/spot2azuseast2
    9. Click Create records

  6. KUBE_INGRESS_BASE_DOMAIN is used for Auto DevOps - therefore we are configuring it at the top group level for which we would like the cluster in question to be usable for Auto DevOps for all downbound groups and projects.

  7. In the GitLab group ‘classgroup’ Click Settings > CI/CD

  8. Next to ‘Variables’ Click Expand

  9. Click Add variable once for each table row (or update the variables if they are already there)

    Key Value Protect Mask
    KUBE_INGRESS_BASE_DOMAIN eks.devops4the.win No No

Certificate Setup

  1. In the AWS ‘Certificate Manager’ console Click Request (button)
  2. On the ‘Request certificate’ page, Click Request a public certificate and Click Next
  3. Under ‘Fully qualified domain name’ Type *.eks.devops4the.win (the * must be included)
  4. Under ‘Select validation method’ Select DNS validation - recommended
  5. Click Request (button)
  6. For the row that contains *.eks.devops4the.win, Click the certificate id (e.g. “667ecb1f-c8ff-4b70-b6fd-f0ab9027a7da”)
  7. Under ‘Domains’ Click Create records in Route 53
  8. On the page ‘Create DNS records in Amazon Route 53’ Click Create records
  9. Return to the ‘Certificates list’ (hint: there is a navigation breadcrumb trail at the top of the page)
  10. Click the refresh cycle icon (button) until your new certificate status changes from ‘Pending validation’ to ‘Issued’
  11. Once the Certificate is in the ‘Issued’ state, click the Certificate ID to see the details
  12. On the ‘Certificate status’ page, under ‘ARN’ Copy the ARN or leave this page open for copying and pasting in the next section.

Update Cluster Management Project to Install the NGINX Ingress with ACM Cert and Remove Cert Manager If Installed

update for removal

  1. In ‘classgroup/cluster-management’ Start the Web IDE.

  2. Edit the file ‘helmfile.yaml’ and uncomment the line - path: applications/ingress/helmfile.yaml

  3. Edit the file ‘applications/ingress/values.yaml’ and add the following at the very top: global.ingress.tls.enabled: false

  4. At the bottom add the following

      config:
    # pass the X-Forwarded-* headers directly from the upstream
    use-forwarded-headers: "true"
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 'https'
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "CERTIFICATE_ARN_GOES_HERE"
    targetPorts:
      https: http

  5. In the above, paste over CERTIFICATE_ARN_GOES_HERE with the actual certificate ARN from the previous section.

  6. Click Commit…

  7. Select Commit to master branch

  8. Click Commit

Teardown and Cleanup

  1. In the AWS ‘Certificate Manager’ console Locate the previously created certificate
  2. Click the checkbox at the start of the identified row and then in the upper right, Click Delete (button).
  3. In the ‘Delete selected certificates’ popup, Type delete and Click Delete.
  4. In the AWS Route 53 console, Click Hosted zones.
  5. Click the domain name used (eks.devops4the.win in these instructions) to edit the zone records.
  6. Locate the CNAME record used for certificate validation (like the only CNAME record) and Click the checkbox at the start of the identified row.
  7. In the upper right, Click Delete Record (button).
  8. In the ‘Delete selected record?’ popup, Click Delete.
  9. Repeat the record deletion procedure for the DNS wildcard record (*.eks.devops4the.win in these instructions)
  10. Click Hosted zones.
  11. Locate the domain name used (eks.devops4the.win in these instructions) and Click the Checkbox at the start of the identified row.
  12. In the upper right, Click Delete (button).
  13. In the ‘Delete hosted zone’ popup, Type delete and Click Delete.