AWS
Domain Name
Section titled “Domain Name”This setup should be completed prior to the cluster becoming operational to ensure proper routing and access.
A full domain is required for KSaaS to work properly. This domain name has to be onboarded to your DNS provider. Make sure to also set the domainName value in your configuration for this matter.
Prerequisites
Section titled “Prerequisites”The Load Balancer IP is provisioned by cluster-api during the deployment process, and the DNS entry is managed by external-dns.
Then, you need to ensure that your DNS zone is properly set up and accessible within the cluster.
Afterwards, confirm the Load Balancer IP is available and can be resolved from the cluster itself after deployment.
Configuring Cert-Manager with AWS Route53
Section titled “Configuring Cert-Manager with AWS Route53”Use the aws-tls overlay to configure cert-manager to use the Route53 issuer.
Required Secrets
Section titled “Required Secrets”The following AWS credentials and configurations are required for cert-manager:
cert-manager-aws-access-key-idcert-manager-aws-secret-access-keycert-manager-aws-regioncert-manager-aws-hosted-zone-arn
Required IAM Policy
Section titled “Required IAM Policy”To enable cert-manager to interact with Route53, apply the following IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "route53:GetChange", "Resource": "arn:aws:route53:::change/*" }, { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/${HOSTED_ZONE_ID}" } ]}- In case of multiple hosted zones, you can use
arn:aws:route53:::hostedzone/*to allow access to all hosted zones. - When using this wildcard approach, set
cert-manager-aws-hosted-zone-arnto an empty value.