|
| 1 | +--- |
| 2 | +title: Amazon Web Services |
| 3 | +linktitle: Amazon |
| 4 | +type: docs |
| 5 | +description: Setting up TLS and DNS on Amazon Web Services |
| 6 | +weight: 100 |
| 7 | +--- |
| 8 | + |
| 9 | +## Prerequisites |
| 10 | + |
| 11 | +- cluster created using Jenkins X [GCP Terraform getting started](/v3/admin/platform/gke/) |
| 12 | +- own a domain and have GCP manage it, [configure cloud dns to manage a domain](/v3/guides/infra/google_cloud_dns) |
| 13 | +- latest Jenkins X CLI, Infrastructure and Cluster git repository updates [upgrade](/v3/guides/upgrade) |
| 14 | + |
| 15 | +### Cloud Infrastructure |
| 16 | +First we will configure the cloud infrastructure requirements: |
| 17 | + |
| 18 | +- a GCP Service Account with the `dns.admin` role, see [here](https://cloud.google.com/iam/docs/understanding-roles#dns-roles) for more information |
| 19 | +- a managed cloud dns zone, see [here](https://cloud.google.com/dns/docs/zones) for more information |
| 20 | + |
| 21 | +To satisfy these requirements go to your infrastructure repository (contains Terraform main.tf) and add to your `values.auto.tfvars` the following: |
| 22 | + |
| 23 | +```yaml |
| 24 | +apex_domain = "foo.io" |
| 25 | +``` |
| 26 | + |
| 27 | +Most people prefer to use a subdomain for a specific installation rather than purchasing one domain per cluster. For example in a multi cluster setup you will probably want all using the same parent domain but two clusters using a different subdomain like development.foo.io, staging.foo.io leaving production using just the parent domain foo.io. |
| 28 | + |
| 29 | +To use a subdomain for this cluster add the following configuration: |
| 30 | + |
| 31 | +```yaml |
| 32 | +subdomain = "dev" |
| 33 | +``` |
| 34 | + |
| 35 | +We will now add details that will be passed to Jenkins X as requirements when booting the cluster. |
| 36 | + |
| 37 | +Add these to `values.auto.tfvars` |
| 38 | +```yaml |
| 39 | +lets_encrypt_production = true |
| 40 | + |
| 41 | +``` |
| 42 | + |
| 43 | + |
| 44 | +Now apply these changes: |
| 45 | + |
| 46 | +```bash |
| 47 | +git add values.auto.tfvars |
| 48 | +git commit -m 'feat: enable DNS cloud resources' |
| 49 | +git push |
| 50 | +``` |
| 51 | +You may want to set two environment variables here so that Terraform does not prompt for values |
| 52 | +``` |
| 53 | +export TF_VAR_jx_bot_username= |
| 54 | +export TF_VAR_jx_bot_token= |
| 55 | +``` |
| 56 | +now run |
| 57 | +```bash |
| 58 | +terraform plan |
| 59 | +terraform apply |
| 60 | +``` |
| 61 | + |
| 62 | +If using a subdomain you will now see your managed zone in GCP [here](https://console.cloud.google.com/net-services/dns/zones) |
| 63 | + |
| 64 | +__Once terraform has finished for now there is a manual trigger of the Jenkins X cluster repository required. This will not be needed in the future but for now please make a dummy commit on your cluster git repository and follow the boot job as in applies the updates to your cluster.__ |
| 65 | + |
| 66 | +To follow the jx boot installation using the instructions given in the terraform output, connect to the cluster and run: |
| 67 | + |
| 68 | +```bash |
| 69 | +jx admin logs |
| 70 | +``` |
| 71 | + |
| 72 | +There is a timing issue with cert-manager and the admission controller so the first boot job may fail but second will run automatically and succeed. |
| 73 | + |
| 74 | + |
| 75 | +It can take a short while for DNS to propagate so you may need to wait for 5 - 10 minutes. https://dnschecker.org/ is a useful way to check the status of DNS propagating. |
| 76 | + |
| 77 | +To verify using the CLI run: |
| 78 | +```bash |
| 79 | +kubectl get ingress -n jx |
| 80 | +``` |
| 81 | +and use the hook URL |
| 82 | +```bash |
| 83 | +jx verify tls hook-jx.dev.foo.io --production=false --timeout 20m |
| 84 | +``` |
| 85 | + |
| 86 | +You should be able to verify the TLS certificate from Lets Encrypt in your browser (beware of browser caching if you don't see any changes) |
| 87 | + |
| 88 | + |
| 89 | + |
| 90 | +Once this is working you can switch any of the configuration using your cluster git repository and change the jx-requirements.yaml, e.g. toggling the cert-manager production service or editing the email address used: |
| 91 | + |
| 92 | +```yaml |
| 93 | +ingress: |
| 94 | + domain: dev.foo.io |
| 95 | + externalDNS: true |
| 96 | + namespaceSubDomain: -jx. |
| 97 | + tls: |
| 98 | + |
| 99 | + enabled: true |
| 100 | + production: true |
| 101 | +``` |
| 102 | +
|
| 103 | +Git commit and push the change back to your remote git repository and follow the installation: |
| 104 | +
|
| 105 | +```bash |
| 106 | +jx admin logs |
| 107 | +``` |
| 108 | +You will now be issued a valid TLS certificate |
| 109 | + |
| 110 | +```bash |
| 111 | +jx verify tls hook-jx.dev.foo.io --production=true --timeout 20m |
| 112 | +``` |
0 commit comments