Privacy Dynamics Self-hosted

Configure DNS records

Create a subdomain to house Privacy Dynamics

Installation best practice is to partition off Privacy Dynamics into a subdomain, keeping everything separate from the rest the customer's infrastructure. It is better to create a subdomain pvcy.customer.com dedicated to hosting Privacy Dynamics endpoints so that there is no unintended interference from external-dns to other Route 53 records.

The example domain customer.com is used throughout the documentation and is intended to represent the customer's domain name. The customer's domain should be used wherever customer.com is present in code samples.

Create DNS zone

All Privacy Dynamics services should be hosted within a zone (aka subdomain). To create a new zone in Route 53, follow the steps in this AWS article.

Each service within Privacy Dynamics will have its own DNS record. The web-based UI should be app.pvcy.customer.com and the API should be api.pvcy.customer.com. DNS A records for app and api will be automatically created in a later step when service ingresses are added.

Install ExternalDNS

ExternalDNS makes resources in the cluster discoverable. The service should be installed into its own namespace.

$ kubectl create namespace external-dns

Create IAM policy for ExternalDNS

Create a policy in IAM to give the ExternalDNS pod permissions to create, update, and delete Route 53 records in your AWS account. We recommend creating a policy called dns-manager and assigning it the policies defined the dns-manager-policy.json file.

Create an IAM OIDC identity provider

To use AWS Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster. Create an IAM OIDC identity provider for your cluster with the command below.

$ eksctl utils associate-iam-oidc-provider \
 --region=AWS_REGION --cluster=CLUSTER_NAME \
 --approve

Tip

Replace CLUSTER_NAME with your cluster's name, AWS_REGION with the region like us-west-2.

Create an IAM role for the service account.

$ eksctl create iamserviceaccount --name external-dns \
 --namespace external-dns \
 --cluster CLUSTER_NAME \
 --attach-policy-arn IAM_POLICY_ARN \
 --approve --region=AWS_REGION \
 --override-existing-serviceaccounts

Tip

Replace CLUSTER_NAME with your cluster's name, and IAM_POLICY_ARN with your IAM policy's ARN, AWS_REGION with the region like us-west-2.

Create ClusterRole, ClusterRoleBinding, and setup ExternalDNS

Warning

It is very important that --domain-filter in the following yaml be changed to the right subdomain. If the app is going to be hosted in app.pvcy.customer.com the domain filter should be set to pvcy.customer.com. Replace DOMAIN with pvcy.customer.com and R53_HOSTED_ZONE_ID with the Route 53 hosted zone ID of the DOMAIN.

Download the sample values file for external DNS configuration.

$ curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/external-dns/deploy.yaml \
 -o external-dns-deploy.yaml

Make the following changes to external-dns-deploy.yaml:

  1. pvcy.customer.com with your subdomain name.
  2. test@customer.com with your email address.
  3. txtOwnerId Z08xxxxHK with the Route 53 HostedZoneId of your subdomain name.

Apply the DNS changes to the cluster.

$ kubectl apply -f external-dns-deploy.yaml
Previous
Install Privacy Dynamics
Next
Application Ingress