Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

DNS Providers + TLS Certificates #84

Merged
merged 51 commits into from
Sep 9, 2022
Merged

DNS Providers + TLS Certificates #84

merged 51 commits into from
Sep 9, 2022

Conversation

dotxlem
Copy link
Collaborator

@dotxlem dotxlem commented Sep 6, 2022
edited
Loading

This PR adds support for DNS Providers, beginning with Amazon Route53. Having a hosted zone available for your domain, AssemblyLift will generate DNS records for your services. Additionally TLS certificates will be provisioned for each service; on AWS Lambda these are ACM certificates, and on K8S cert-manager is installed and certificates are obtained from Let's Encrypt.

DNS Providers are declared in the domains array in assemblylift.toml:

[[domains]]
dns_name = "akkoro.io"
[domains.provider]
name = "route53"
[domains.provider.options]
aws_region = "us-east-1"
cert_manager_aws_credentials_secret_name = "iam-cert-manager-r53"

To use a domain with a service, declare it in the api table in the service.toml:

[api]
domain_name = "akkoro.io" # matches dns_name in assemblylift.toml

DNS entries are created for each service which declares a domain name. Entries are A Records named <service-name>.<project-name> which point to the service. For Lambda-based services, these are aliases to an API Gateway endpoint.

For example a project named petshop and a service named pos you might invoke a function mounted at /checkout with:
curl https://pos.petshop.mydomain.com/checkout

Route53

The Route53 (R53) provider requires that the Hosted Zone for the domain name already exists in the region specified in provider.options.

When using R53 with the Kubernetes provider, cert-manager is deployed to provision TLS certificates from Let's Encrypt and keep them up-to-date. This requires cert-manager to have access to your R53 Hosted Zone in order to create the verification DNS entries. These credentials are expected to be in a generic Kubernetes secret named iam-cert-manager-r53 in the cert-manager namespace.

kubectl create secret generic iam-cert-manager-r53 -n cert-manager --from-literal=aws_region=<region> --from-literal=aws_access_key_id=<id> --from-literal=aws_secret_access_key=<key>

Let's Encrypt

This build will only provision a self-signed cert from the staging API and is not suitable for production. Toggling a production cert will come in another release :)

dotxlem added 30 commits August 1, 2022 21:20
@dotxlem
bump cli version && cargo update
7d06e5a
@dotxlem
add domain_name to api toml/context & gloo
c094cba
@dotxlem
fix docker ruby; fix Context::service
a188df9
@dotxlem
add domain name to lambda
0b5e12a
@dotxlem
add cmctl tool; impl Bindable for k8s service
ffc5ef4
@dotxlem
add Bootable trait, cert k8s tmpl; cast issuer
3b3c06b
@dotxlem
rm namespace from clusterissuer
ab1afc6
@dotxlem
apply issuer in boot as yaml
b5aff7a
@dotxlem
add debug print
7a89582
@dotxlem
fix kube apply; fix is_booted check
ed40ae4
@dotxlem
fix find op
958c9f9
@dotxlem
fix gloo cast
16a7f60
@dotxlem
remove gloo root cast
8f1f510
@dotxlem
try fixing gloo is_booted
42ddee2
@dotxlem
fix template, filter services
f307f5d
@dotxlem
more gloo boot
1d7f2fd
@dotxlem
add kubectl get_in_namespace; fix orders get
c86ee6a
@dotxlem
fix token json path
74529d7
@dotxlem
fix token find; fix is_booted; always boot
b84a081
@dotxlem
fix compilation
6500dbe
@dotxlem
fix compilation
55de417
@dotxlem
more cert boot; fix dns names
7261e0b
@dotxlem
fix json shapes, domain name
1d2fe20
@dotxlem
scaffold dns provider support
92272f3
@dotxlem
start r53 template & cast
cbab718
@dotxlem
r53 template
0456500
@dotxlem
r53 provider
930698b
@dotxlem
impl r53 gloo_proxy_ip; accidental rustfmt :)
7894622
@dotxlem
fix r53 tmpl & cast dns providers in k8s
f69d0c2
@dotxlem
fix dns provider toml
864fabd
@dotxlem dotxlem changed the title DNS Providers DNS Providers + TLS Certificates Sep 6, 2022
@dotxlem dotxlem marked this pull request as ready for review September 9, 2022 23:44
@dotxlem dotxlem merged commit bd7d6c4 into akkoro:mainline Sep 9, 2022
@dotxlem dotxlem deleted the dns-and-certs branch September 9, 2022 23:44
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dotxlem