Privacy Dynamics Self-hosted

Configure DNS records

Create a subdomain to house Privacy Dynamics

Installation best practice is to partition off Privacy Dynamics into a subdomain, keeping everything separate from the rest the customer's infrastructure. It is better to create a subdomain dedicated to hosting Privacy Dynamics endpoints so that there is no unintended interference from external-dns to other Route 53 records.

The example domain is used throughout the documentation and is intended to represent the customer's domain name. The customer's domain should be used wherever is present in code samples.

Create DNS zone

All Privacy Dynamics services should be hosted within a zone (aka subdomain). To create a new zone in Route 53, follow the steps in this AWS article.

Each service within Privacy Dynamics will have its own DNS record. The web-based UI should be and the API should be DNS A records for app and api will be automatically created in a later step when service ingresses are added.

Install ExternalDNS

ExternalDNS makes resources in the cluster discoverable. The service should be installed into its own namespace.

$ kubectl create namespace external-dns

Create IAM policy for ExternalDNS

Create a policy in IAM to give the ExternalDNS pod permissions to create, update, and delete Route 53 records in your AWS account. We recommend creating a policy called dns-manager and assigning it the policies defined the dns-manager-policy.json file.

Create an IAM OIDC identity provider

To use AWS Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster. Create an IAM OIDC identity provider for your cluster with the command below.

$ eksctl utils associate-iam-oidc-provider \
 --region=AWS_REGION --cluster=CLUSTER_NAME \


Replace CLUSTER_NAME with your cluster's name, AWS_REGION with the region like us-west-2.

Create an IAM role for the service account.

$ eksctl create iamserviceaccount --name external-dns \
 --namespace external-dns \
 --cluster CLUSTER_NAME \
 --attach-policy-arn IAM_POLICY_ARN \
 --approve --region=AWS_REGION \


Replace CLUSTER_NAME with your cluster's name, and IAM_POLICY_ARN with your IAM policy's ARN, AWS_REGION with the region like us-west-2.

Create ClusterRole, ClusterRoleBinding, and setup ExternalDNS


It is very important that --domain-filter in the following yaml be changed to the right subdomain. If the app is going to be hosted in the domain filter should be set to Replace DOMAIN with and R53_HOSTED_ZONE_ID with the Route 53 hosted zone ID of the DOMAIN.

Download the sample values file for external DNS configuration.

$ curl \
 -o external-dns-deploy.yaml

Make the following changes to external-dns-deploy.yaml:

  1. with your subdomain name.
  2. with your email address.
  3. txtOwnerId Z08xxxxHK with the Route 53 HostedZoneId of your subdomain name.

Apply the DNS changes to the cluster.

$ kubectl apply -f external-dns-deploy.yaml
Install Privacy Dynamics