hello friends I have a basic EKS service set up using the ty Pulumi Community #aws

hello friends. I have a basic EKS service set up u...

refined-bear-62276

01/30/2021, 11:52 PM

hello friends. I have a basic EKS service set up using the typescript example. What's the shortest way to get a certificate and route53 domain associated with the service ip?

refined-bear-62276

01/30/2021, 11:53 PM

example used: https://github.com/pulumi/examples/blob/master/aws-ts-eks-hello-world/index.ts

billowy-army-68599

01/31/2021, 12:04 AM

hey! easiest way is to install the aws provider with

npm install

and then pass the service ip to a route53 record https://www.pulumi.com/docs/reference/pkg/aws/route53/record/ and an ACM certificate https://www.pulumi.com/docs/reference/pkg/aws/acm/certificate/

refined-bear-62276

01/31/2021, 12:08 AM

thanks, I managed to get it working in the console using A record and the ALIAS, I'll try to use your suggestions with those settings and see how it works 🙂

refined-bear-62276

01/31/2021, 9:03 AM

I managed to set up the record correctly but I can't seem to get the certificate to work. Always have this error: SSL_ERROR_RX_RECORD_TOO_LONG

refined-bear-62276

01/31/2021, 10:37 AM

no idea why this certificate keeps reporting that error, no matter what configuration I try to use the certificate always seems to result in this RX too long error

billowy-army-68599

02/01/2021, 3:42 AM

can you share your code?

refined-bear-62276

02/01/2021, 8:03 AM

Copy code

const repository = new awsx.ecr.Repository(`${pkg.name}-repo`);

// // Invoke 'docker' to actually build the DockerFile that is in the 'app' folder relative to
// // this program. Once built, push that image up to our personal ECR repo.
const image = repository.buildAndPushImage({
  dockerfile: "../apps/dedicated-game-server/Dockerfile",
  context: "../",
  cacheFrom: true,
});

// Create a VPC for our cluster.
const vpc = new awsx.ec2.Vpc("vpc", { numberOfAvailabilityZones: 2 });

// Create the EKS cluster itself and a deployment of the Kubernetes dashboard.
const cluster = new eks.Cluster("cluster", {
  vpcId: vpc.id,
  subnetIds: vpc.publicSubnetIds,
  desiredCapacity: 1,
  minSize: 1,
  maxSize: 1,
});

// Create a NGINX Deployment and load balanced Service, running our app.
const appName = "kennywtf";
const appLabels = { appClass: appName };
const deployment = new k8s.apps.v1.Deployment(
  `${appName}-dep`,
  {
    metadata: { labels: appLabels },
    spec: {
      replicas: 1,
      selector: { matchLabels: appLabels },
      template: {
        metadata: { labels: appLabels },
        spec: {
          containers: [
            {
              name: appName,
              image,
              ports: [{ name: "http", containerPort: 8999 }],
            },
          ],
        },
      },
    },
  },
  { provider: cluster.provider }
);

const service = new k8s.core.v1.Service(
  `${appName}-svc`,
  {
    metadata: { labels: appLabels },
    spec: {
      type: "LoadBalancer",
      ports: [
        { port: 80, targetPort: "http", name: "http" },
        { port: 443, targetPort: "http", name: "https" },
      ],
      selector: appLabels,
    },
  },
  { provider: cluster.provider }
);

const certificate = new aws.acm.Certificate("sslCert", {
  domainName,
  subjectAlternativeNames: [],
  validationMethod: "DNS",
});

// Create the necessary DNS records for ACM to validate ownership, and wait for it.
const sslCertValidationRecord = new aws.route53.Record(
  "sslCertValidationRecord",
  {
    zoneId: hostedZoneId,
    name: certificate.domainValidationOptions[0].resourceRecordName,
    type: certificate.domainValidationOptions[0].resourceRecordType,
    records: [certificate.domainValidationOptions[0].resourceRecordValue],
    ttl: 10 * 60 /* 10 minutes */,
  }
);

const sslCertValidationIssued = new aws.acm.CertificateValidation(
  "sslCertValidationIssued",
  {
    certificateArn: certificate.arn,
    validationRecordFqdns: [sslCertValidationRecord.fqdn],
  }
);
const main = aws.elb.getHostedZoneId({});

const webDnsRecord = new aws.route53.Record(
  "webDnsRecord",
  {
    name: domainName,
    type: "A",
    zoneId: hostedZoneId,
    aliases: [
      {
        evaluateTargetHealth: true,
        name: service.status.loadBalancer.ingress[0].hostname,
        zoneId: main.then((main) => main.id),
      },
    ],
  },
  { dependsOn: sslCertValidationIssued }
);

// // Export the URL for the load balanced service.

export const url = service.status.loadBalancer.ingress[0].hostname;
export const ip = service.status.loadBalancer.ingress[0].ip;

refined-bear-62276

02/01/2021, 8:04 AM

like I said, it deploys great and the domain points correctly to the service (kenny.wtf) but the cert doesnt seem to work. In the ACM dashboard the cert says

in use: no

which is strange to me

refined-bear-62276

02/01/2021, 10:36 PM

So, after playing around, I found that I can find the load balancer inside the EC2 management console. There, I was able to change the settings from TCP to secure TCP, and chose an ARN for a certificate I had made with pulumi

refined-bear-62276

02/01/2021, 10:37 PM

Now the question is, how do I automate that with pulumi...

billowy-army-68599

02/01/2021, 10:45 PM

hey! can you show me where you get

domainName

from?

billowy-army-68599

02/01/2021, 10:46 PM

does your cert have the right name when you look at it in the console?

refined-bear-62276

02/01/2021, 10:48 PM

domainName is just a string, I get it from the pulumi config

refined-bear-62276

02/01/2021, 10:49 PM

uhhh, yeah the cert has the right name

refined-bear-62276

02/01/2021, 10:51 PM

and now that I've manually attached it to this classic loadbalancer that I think was created when I made the k8s service, it finally says

in use: yes

refined-bear-62276

02/01/2021, 10:53 PM

so it looks like I can't just simply use the service loadbalancer output to attach a certificate alias to, that didn't work...

billowy-army-68599

02/01/2021, 11:00 PM

you mean the

<http://amazonaws.com|amazonaws.com>

name your ELB has?

refined-bear-62276

02/01/2021, 11:04 PM

I'm still not clear what the problem is, but something about connecting that domain, the cert, and the loadbalancer that is outputted from that k8s service doesnt click for https

refined-bear-62276

02/01/2021, 11:06 PM

it didnt work until I dug around the aws console manually and connected the cert to the classic loadbalancer manually

refined-bear-62276

02/01/2021, 11:18 PM

I followed this step to get it to work (starting from step 10, it was a complete hail mary): https://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm/

billowy-army-68599

02/01/2021, 11:32 PM

okay, I see what's happening here

billowy-army-68599

02/01/2021, 11:33 PM

here:

Copy code

const webDnsRecord = new aws.route53.Record(
  "webDnsRecord",
  {
    name: domainName,
    type: "A",
    zoneId: hostedZoneId,
    aliases: [
      {
        evaluateTargetHealth: true,
        name: service.status.loadBalancer.ingress[0].hostname,
        zoneId: main.then((main) => main.id),
      },
    ],
  },
  { dependsOn: sslCertValidationIssued }
);

you're creating an A record to your

service.status.loadBalancer.ingress[0].hostname

- make this a

CNAME

, not an

record

billowy-army-68599

02/01/2021, 11:36 PM

update your validationRecord to use an apply, example:

Copy code

validationRecordFqdns: sslCertValidationRecord.apply(r => r.map(record => record.fqdn))

billowy-army-68599

02/01/2021, 11:36 PM

(I think, I haven't tested this)

Open in Slack

Previous Next