What Gets Deployed
This layer installs:- AWS Load Balancer Controller: Manages Application Load Balancers for Kubernetes ingress
- Cert Manager: Automated TLS certificate provisioning and renewal
- External Secrets Operator: Syncs secrets from Vault to Kubernetes
- Vault: HashiCorp Vault deployed via Helm for secrets management
Environment Variables
No additional environment variables are required for deployment. However, after deployment, you’ll need to configure Vault credentials.Deployment Steps
Review the plan
- IAM roles and policies for AWS Load Balancer Controller
- Helm releases for cert-manager, external-secrets, and Vault
- Kubernetes service accounts and RBAC configurations
Vault Initialization
After the platform layer is deployed, you must initialize and unseal Vault.Wait for Vault Pods
First, ensure Vault pods are running:Running state (they may show 0/1 ready, which is expected before initialization).
Run Bootstrap Script
Execute bootstrap script
- Initializes Vault with auto-unseal using AWS KMS
- Generates recovery keys and root token
- Saves credentials to
~/.vault-secrets/vault.env - Configures Vault for Kubernetes authentication
Save credentials securely
The script outputs:
- Root Token: Required for admin operations
- Recovery Keys: Needed for disaster recovery
Verify Vault Status
Platform Components
AWS Load Balancer Controller
The AWS Load Balancer Controller provisions Application Load Balancers when you create Kubernetes Ingress resources. Features:- Automatic ALB creation from Ingress manifests
- Target group management
- SSL/TLS termination
- Path-based and host-based routing
- Deployed in
kube-systemnamespace - Uses IAM Roles for Service Accounts (IRSA)
- Monitors Ingress resources with
alb.ingress.kubernetes.ioannotations
Cert Manager
Cert Manager automates TLS certificate issuance and renewal from Let’s Encrypt. Features:- Automated certificate provisioning
- Automatic renewal before expiration
- ACME DNS-01 challenge support via Cloudflare
- Deployed in
cert-managernamespace - ClusterIssuers for Let’s Encrypt staging and production
- Cloudflare DNS integration for wildcard certificates
External Secrets Operator
External Secrets Operator syncs secrets from Vault to Kubernetes Secrets. Features:- Automatic secret synchronization
- Refresh on secret changes
- Multiple secret backend support
- Deployed in
external-secretsnamespace - SecretStore resources configured for Vault
- Kubernetes auth method for Vault authentication
Vault
HashiCorp Vault provides centralized secrets management. Features:- KV secrets engine for key-value storage
- Dynamic secrets generation
- Encryption as a service
- Audit logging
- Deployed in
vaultnamespace via Helm - High availability with DynamoDB backend
- Auto-unseal using AWS KMS
- Ingress for HTTPS access via Tailscale
Accessing Vault
Via kubectl Port Forward
For local access without ingress:http://localhost:8200.
Via Tailscale (Recommended)
Once connected to Tailscale, access Vault directly:Verification
Check All Pods
Running state.
Verify Cert Manager Issuers
letsencrypt-stagingletsencrypt-prod
Test Vault Access
Outputs
The platform layer exports the following outputs:| Output | Description |
|---|---|
vault_addr | Vault server URL |
vault_namespace | Kubernetes namespace where Vault is deployed |
cert_manager_ready | Boolean indicating cert-manager is deployed |
Troubleshooting
Vault Pods Not Starting
Check pod events:- KMS key permissions not granted to node role
- DynamoDB table not accessible
- Insufficient resources on nodes
AWS Load Balancer Controller Errors
Check controller logs:- IAM permissions insufficient
- Subnets not properly tagged for auto-discovery
- Security group rules blocking traffic
Cert Manager Certificate Issues
Check certificate status:- Cloudflare API token permissions insufficient
- DNS propagation delays
- Rate limiting from Let’s Encrypt
Next Steps
With the platform layer deployed and Vault initialized, you’re ready to deploy applications.Apps Layer
Deploy ArgoCD, Traefik, and application services