This page is generated from skills/eks-ingress-migration/references/dns-certificates.md. Edit the source, not this page.
DNS & Certificate Management
Rating model: Express every finding as Impact 1–5 using the Impact Indicator rubric (security/reputation · business/revenue · nature & effort to remediate). Band mapping is a starting point — GREEN→🟡 1–2, AMBER→🟠 3–4, RED→🔴 5 — but the Impact Indicator criteria set the final score (e.g. an easy-to-deploy prerequisite stays 🟡 low even if it blocks a path). All checks are read-only (
kubectl get/describe,aws … describe/list).
Purpose
Assess DNS automation and TLS certificate management for Gateway API migration.
Checks to Execute
4.1 — external-dns Gateway API Support
What to check:
- external-dns Deployment installed
- Source configuration — must include
gateway-httproutefor Gateway API migration - IRSA/Pod Identity for Route 53 access
How to check:
- List Deployments → filter for
external-dns - Check container args for
--source=values - Check ServiceAccount for IRSA annotation
Critical: external-dns must be configured with --source=gateway-httproute (and optionally --source=gateway-grpcroute) to auto-manage DNS for Gateway API resources. If only --source=ingress is set, DNS won't work after migration.
Impact (per Impact Indicator):
- 🟡 1–2 (Low): external-dns installed with
gateway-httproutesource, IRSA configured - 🟠 3–4 (Medium): external-dns installed but only
ingresssource — needs config update - 🔴 5 (High): No external-dns — DNS records managed manually
- ⬜ Unknown: Cannot determine DNS management
4.2 — cert-manager Gateway API Integration
What to check:
- cert-manager installed and healthy
- Gateway API integration enabled (cert-manager v1.15+ has native Gateway API support)
- ClusterIssuer/Issuer configured
How to check:
- List Deployments → filter for
cert-manager - Check cert-manager version (v1.15+ for Gateway API)
- Check for
--feature-gates=ExperimentalGatewayAPISupport=truein controller args (pre-v1.15) - List ClusterIssuers → check solver type
Impact (per Impact Indicator):
- 🟡 1–2 (Low): cert-manager v1.15+ with Gateway API support, ClusterIssuer ready
- 🟠 3–4 (Medium): cert-manager installed but Gateway API feature gate not enabled, or older version
- 🔴 5 (High): No cert-manager and TLS certs are static K8s Secrets
- ⬜ Unknown: Cannot determine cert management
4.3 — ACM Integration
What to check:
- Current Ingress resources using ACM certificate ARNs
- ACM certificates available in the account/region
- Gateway API ACM model: certificates referenced on Gateway listener via annotation
How to check:
- Scan Ingress annotations for
alb.ingress.kubernetes.io/certificate-arn - Extract unique ACM ARNs
- Verify certificates exist and are valid
Impact (per Impact Indicator):
- 🟡 1–2 (Low): Using ACM certificates — maps directly to Gateway listener annotations
- 🟠 3–4 (Medium): Mix of ACM and K8s Secret certificates
- 🔴 5 (High): No ACM — all self-managed Secrets
- ⬜ Unknown: Cannot verify ACM certificate status