Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I get cert-manager to use AWS ACM-PCA to provision certificates for HTTPS ingresses?

Tags:

amazon-web-services

amazon-eks

aws-acm

I've previously used LetsEncrypt for the purpose but need to explore the possibility of using AWS ACM-PCA to issue certificates through cert-manager. For clarity, the setup with LE is/was fully functional and I've confirmed that the PCA itself works fine.

I've installed the AWS-PrivateCA-Issuer helm chart and the resources (and CRDs) have appeared as expected. I've created a ClusterIssuer as per this example YAML too - so far so good, the issuer shows itself as verified.

What I'm struggling with is annotating my ingresses properly to cause cert-manager to request and attach a certificate. I've added these annotations somewhat naively from what I've found in documentation:

cert-manager.io/issuer-kind: AWSPCAClusterIssuer
cert-manager.io/issuer-group: awspca.cert-manager.io

I wouldn't be at all surprised, however, if there's more that I've missed. As things stand, the secret specified in the ingress config simply doesn't get created.

I haven't found any examples online of how exactly to do this, can anyone provide some or point me in the right direction? Thanks.

like image 581
user1381745 Avatar asked Oct 30 '25 12:10

user1381745

1 Answers

You're pretty close. You need the following annotations on your ingress:

cert-manager.io/issuer: <name of your issuer>
cert-manager.io/issuer-kind: AWSPCAClusterIssuer
cert-manager.io/issuer-group: awspca.cert-manager.io
cert-manager.io/common-name: <common name for the certificate>

Here's a POC ingress that I've successfully deployed:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: acm-pca-demo-ingress
  namespace: acm-pca-lab-demo
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: exampleca
    cert-manager.io/issuer-kind: AWSPCAClusterIssuer
    cert-manager.io/issuer-group: awspca.cert-manager.io
    cert-manager.io/common-name: test.example.local
spec:
  tls:
    - hosts:
        - test.example.local
      secretName: test-example-local-cert
  rules:
    - host: test.example.local
      http:
        paths:
          - path: /
            pathType: Exact
            backend:
              service:
                name: hello-world
                port:
                  number: 80

Note: The values specified under spec.tls[*].hosts are added to the certificate as the SAN (Subject Alternative Names) field.

like image 199
Andy Bohne Avatar answered Nov 02 '25 23:11

Andy Bohne

Sign in to Comment

Related questions

Create CodePipeline Notification Rule using CloudFormation
AWS Athena query returns results in incorrect format when query is run again
Terraform NAT Gateway To Setup Route Table
Lambda function through API gateway fails due to Malformed Lambda proxy response
How to address another container in the same task definition in AWS ECS on Fargate?
Terraform AWS ALB listener rule path
Ansible: allocating an elastic ip to newly created instance
How to disable MFA delete on your S3 bucket through AWS CLI?
Get existing VPC for use within a Pulumi stack
Cannot connect to aws documentdb ssl enabled cluster from mongo shell in ec2 which is in same vpc as of cluster
Elasticsearch Indices keeps getting lost
No current user - getServerSideProps Next JS and AWS Amplify
Change Node js server (on elastic beanstalk AWS) url to HTTPS
installing Cloudwatch Agent with Terrafom
How to update AWS lambda using serverless framework without downtime?
Deploying CDK Stack from cdk.out folder on S3 bucket (AWS)
Call Python boto3 library from AWS Lambda function written in Node.js
How to add two variables in Cloudformation Fn::Sub in UserData
Spark History Server ListBucket costs

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!