Setting up DNS and TLS in AWS

To host any service/model endpoints a domain has to be used to expose them to the external world or to an internal network. Below document will help you to set the same in your AWS EKS cluster. Any number of domains can be setup for your cluster.

Setting up DNS

There are two kind of domains that you can setup for TrueFoundry workloads

  1. Wild card domains - *.example.com, *.tfy.example.com, *.ml.example.com
  2. Non wild card domains - tfy.example.com, dev.example.com, prod.example.com

Wild card domains (recommended)

In wild card domains a subdomain wildcard is dedicatedly used to resolve endpoints in the EKS cluster. Some of the samples are given below where example.com is your domain. The services will be exposed like

  • service1.tfy.example.com
  • service2.tfy.example.com

Non wild card domains

In non-wild card domains a dedicated domain is used to resolve endpoints. Some of the samples for service endpoints will look like

  • tfy.example.com/service1
  • tfy.example.com/service2

Load balancer IP address

Once a domain name is decided a DNS record is to be mapped with the load balancer in the EKS cluster. To get the load balancer's IP address run the following command in your EKS cluster

kubectl get svc tfy-istio-ingress -n istio-system  -ojsonpath='{.status.loadBalancer.ingress[0].hostname}'

Create a DNS record in your route 53 or your DNS provider with the following details

Record TypeRecord NameRecord value
CNAME*.tfy.example.comLOADBALANCER_IP_ADDRESS

Setting up TLS

There are two ways to terminate the TLS traffic coming into the EKS cluster.

  • Terminating the TLS traffic at the Network Load balancer
  • Terminating the TLS traffic at Istio layer

You can chose any one of the above options. However in the case of EKS it is best to terminate the traffic at the network load balancer with the help of Certificate manager in AWS.

Creating and attaching a certificate using AWS certificate manager

  • In the AWS console, head over to the AWS certificate manager and create a public certificate.
  • ACM will give a CNAME record-value to be created in your DNS provider (route53). Wait for the certificate to in the active state and copy its ARN.
  • Once the certificate is in active state, head over to the TrueFoundry platform's Deplyoyments -> Helm (filter helm chart for your cluster) -> tfy-istio-ingress
  • Edit the tfy-istio-ingress and add the following line in the annotations.
    gateway:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: CERTIFICATE_ARN
    
  • Go ahead and edit the tfy-istio-ingress with the domain names (here - *.example.com is added)
    tfyGateway:
      name: 'tfy-wildcard'
      spec:
        selector:
          istio: 'tfy-istio-ingress'
        servers:
          - hosts:
            - "*.example.com"
            port:
              name: http-tfy-wildcard
              number: 80
              protocol: HTTP
            tls:
              httpsRedirect: true
          - hosts: 
            - "*.example.com"
            port:
              name: https-tfy-wildcard
              number: 443
              protocol: HTTP