Skip to main content

Configure External DNS Alias and automatically get Equinor certificate

An application can be configured to use external DNS aliases, in addition to the automatically generated domain names, provided you register the DNS record and optionally bring the corresponding TLS certificate into Radix. Traffic routing is configured in dnsExternalAlias in radixconfig.yaml.

An application can be configured to use external DNS aliases, in addition to the automatically generated domain names, provided you register the DNS record and bring the corresponding TLS certificate into Radix. Traffic routing is configured in dnsExternalAlias in radixconfig.yaml.

The external DNS record must point to the public name of a component, to the app default alias or to the app alias.

useCertificateAutomation in dnsExternalAlias controls if the TLS certificate is automatically managed by Radix, or manually by you.

Acquire a DNS record in the equinor.com zone

The process for setting up the DNS record depends on the service used to register and manage the DNS zone. This guide assumes registration of a DNS record in the equinor.com zone, but you should be able to adapt the instructions to a third-party provider.

  1. Open the Services@Equinor portal and find the service "Domain name system (DNS)"
  2. Select option New in Select service
  3. In Where should the DNS record be added, changed or deleted?, select if you only need Internal DNS Service (accessible only from Equinor internal network) or Internal and external DNS service (accessible from both Equinor internal network and Internet).
  4. Enter the host name in Host name (exclude .equinor.com suffix).
  5. Select CNAME in the Type drop down.
  6. In the Data (IP or FQDN) field, enter the public name, app default alias or app alias for which the new DNS record should point to.
Example
Select service:
New

Where should the DNS record be added, changed or deleted?:
Internal and external DNS service

Host name:
myapp

Type:
CNAME

Data (IP or FQDN):
frontend-myapp-prod.radix.equinor.com

Configure certificate automation service

Configure dnsExternalAlias in radixonfig.yaml

Add the alias to dnsExternalAlias in radixconfig.yaml. You can add multiple entries as long as the alias value is unique. The referenced environment must be re-deployed in order for the changes to take effect.

If useCertificateAutomation is true, the external DNS record must be created in order for Radix to start the automatic certificate issuing process. digicert.com must also be authorized (from CAA records) to issue certificates to the alias. You can use an online tool like Entrust CAA Lookup to check this.

apiVersion: radix.equinor.com/v1
kind: RadixApplication
metadata:
name: myapp
spec:
...
dnsExternalAlias:
- alias: myapp.equinor.com
component: frontend
environment: prod
useCertificateAutomation: false|true

You can also add and maintain the certificates manually