Certificates

TLS certificates are vital in today's internet application landscape.

They provide applications with:

  • A better SEO ranking
  • Security
  • Trust

Usage

Defaults

Each environment is provided with a default domain and certificate automatically.

# Non Production
ENV.PROJECT.CLUSTER.skpr.dev

# Production
ENV.PROJECT.CLUSTER.skpr.live

Configuring an environment

As extra routes are added to the application, additional certificates are generated in the background and applied to the environment.

ingress:
  routes:
    - example.com
    - www.example.com

Validating a Certificate

Certificates are validated with DNS to provide low friction when provisioning environments.

To check the status of a certificate, run the following command.

$ skpr info dev

......


Certificates:
--------------------------
Status: ISSUED                                                           
Name:   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.example.com.      
Type:   CNAME                                                            
Value:  yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.yyyyyyyyyy.acm-validations.aws.

Status: ISSUED                                                           
Name:   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.www.example.com.      
Type:   CNAME                                                            
Value:  yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.yyyyyyyyyy.acm-validations.aws.

Customers are required to add DNS entries for validation.

Deep Dive

Certificates are managed by AWS Certificate Manager

Certificates are automatically provisioned by the Operator Project as new domains are added to an environment.

The operator has 2 roles.

  • CertificateRequest - https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
  • Certificate - Manages provisioning and lifecycle of CertificateRequests.

  • Desired - The certificate which we want to be provisioned (can be the same as the active certificate).

  • Active - Current certificate which is being provided to CloudFront.
  • Old - Issued certificates which are not currently required.

Deep Dive