Skip to main content

Install Otomi on EKS with DNS using Route53


Additional resources

AWS CLI Cheat Sheet
# Obtain account
aws sts get-caller-identity
# Obtain username and userarn
aws iam get-user
# Obtain rolearn
aws iam list-roles
# Obtain groups
aws iam list-groups

Create an EKS cluster

Clone the Otomi Terraform repository:

git clone
cd eks
  • Copy example.tfvars file to terraform.tfvars file and fill in missing configuration parameters
  • Open a terminal and run the following:
terraform init
# install the EKS cluster
terraform apply

Add a CNI

To use the network policies feature in Otomi, make sure to install the Calico CNI or any other CNI that supports Kubernetes network polices.

Install Tigera Operator:

helm repo add projectcalico
helm repo update
kubectl create namespace tigera-operator
helm install calico projectcalico/tigera-operator --version v3.26.3 --namespace tigera-operator

Or install Calico minimal:

kubectl apply -f

Configure Route53

Follow these steps to use AWS Route53.

  1. Register a domain and retrieve the Hosted zone ID
  2. Create a dns-policy.json file for the policy and add the Zone ID:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
"Effect": "Allow",
"Action": [
"Resource": [
"Effect": "Allow",
"Action": [
"Resource": [
  1. Create the policy:
aws iam create-policy --policy-name "otomi-dns" --policy-document file://dns-policy.json
  1. export the policy ARN:
export POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`<policy-name>`].Arn' --output text)
  1. Create a user:
aws iam create-user --user-name $USER
  1. Attach the user to the policy:
aws iam attach-user-policy --user-name $USER --policy-arn $POLICY_ARN
  1. Create the access-key:
ACCESS_KEY=$(aws iam create-access-key --user-name $USER)
  1. Get the secret-access-id and secret-access-key:
ACCESS_KEY_ID=$(echo $ACCESS_KEY | jq -r '.AccessKey.AccessKeyId')
ACCESS_KEY_SECRET=$(echo $ACCESS_KEY | jq -r '.AccessKey.SecretAccessKey')

Create the values.yaml file

Add the DNS configuration created in the previous step to the values.yaml that we'll use to install Otomi:

tee values.yaml<<EOF
name: otomi
provider: aws
hasExternalDNS: true
secretKey: $ACCESS_KEY_ID
region: eu-central-1 # your region
issuer: letsencrypt
stage: production

And adjust the domainSuffix, domainFilters, region and email.

Install Otomi on EKS

Get the credentials of the cluster:

# Update your kubeconfig
# Default: aws eks update-kubeconfig --name otomi
aws eks update-kubeconfig --name <cluster_name>

Install Otomi using Helm:

helm repo add otomi
helm repo update
helm install -f values.yaml otomi otomi/otomi

Monitor the logs of the installer job:

kubectl logs jobs/otomi -n default -f

When the installer is finished, copy the url and admin-password from the console output.

Follow the activation steps here.


Like to learn how to use Otomi? Go through the Get Started labs