AI Platform TLS Bootstrapping with cert-manager

Question

Pulumi · Accepted Answer

To implement TLS bootstrapping on a Kubernetes cluster using the cert-manager, you generally have to follow a few steps:

1. **Install cert-manager**: cert-manager is a native Kubernetes certificate management controller. It helps with issuing certificates and ensures certificates are valid and up to date, and attempts to renew certificates at a configured time before expiration.
   
2. **Create a Certificate resource**: In cert-manager, certificates are represented by a Custom Resource named `Certificate`. You define the properties of your certificate in this resource, such as the domains you wish to secure with the certificate, and cert-manager takes care of the details.

3. **cert-manager Issuers**: Issuers, and ClusterIssuers, are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All issuers must be configured before they can be used to issue certificates.

4. **CertificateSigningRequest (CSR)**: In some cases, you may require manual CSR. A CSR is a request for a certificate authority to create a public certificate for you.

Let's go through a basic setup using Pulumi in Python.

```python
import pulumi
import pulumi_kubernetes as k8s
import pulumi_kubernetes_cert as kubernetes_cert

# Initialize a Kubernetes provider instance using the current context from your local kubeconfig.
k8s_provider = k8s.Provider("k8s")

# Install the cert-manager Helm chart.
cert_manager_chart = kubernetes_cert.CertManager("cert-manager",
    helm_options=kubernetes_cert.CertManagerHelmOptionsArgs(
        namespace="cert-manager",  # Namespace where cert-manager components will be installed
        create_namespace=True,     # Creates the namespace if it doesn't exist
        version="v1.5.4",          # Specify the version of cert-manager chart
        install_crds=True          # Install CRDs along with the chart
    ),
    opts=pulumi.ResourceOptions(provider=k8s_provider))

# Create a ClusterIssuer or an Issuer resource.
# Here we will create a self-signed issuer for simplicity.
# In a real-world scenario, you would use a proper CA or an ACME issuer like Let's Encrypt.
self_signed_issuer = k8s.apiextensions.CustomResource("self-signed-cluster-issuer",
    api_version="cert-manager.io/v1",
    kind="ClusterIssuer",
    metadata={
        "name": "selfsigned-issuer"
    },
    spec={
        "selfSigned": {}
    },
    opts=pulumi.ResourceOptions(provider=k8s_provider))

# Create a Certificate resource to request a certificate from the ClusterIssuer
certificate = k8s.apiextensions.CustomResource("example-com",
    api_version="cert-manager.io/v1",
    kind="Certificate",
    metadata={
        "name": "example-com",
        "namespace": "default"  # Namespace where the certificate will be created
    },
    spec={
        "secretName": "example-com-tls",  # Name of the secret where the certificate will be stored
        "issuerRef": {
            "name": "selfsigned-issuer",  # Reference to the ClusterIssuer we created earlier
            "kind": "ClusterIssuer"
        },
        "dnsNames": [
            "example.com"  # List of DNS names the certificate will be valid for
        ]
    },
    opts=pulumi.ResourceOptions(provider=k8s_provider, depends_on=[cert_manager_chart]))

# Export the secret name to be used in ingress or other resources
pulumi.export('certificate_secret_name', certificate.metadata['secretName'])
```

In this program:

- We start by creating a Kubernetes provider that specifies the cluster we're targeting.
  
- We then install cert-manager using a Helm chart. Setting `install_crds` to `True` means that we install Custom Resource Definitions (CRDs) required by cert-manager along with the Helm chart.

- Once we have cert-manager installed, we define a `ClusterIssuer` which represents a certificate authority that can generate certificates. In this case, it's a self-signed issuer.

- Then, we create a `Certificate` resource request for a domain `example.com` that uses the previously defined ClusterIssuer.

- Finally, we export the secret name that the certificate's private key and certificate chain will be stored in.

This certificate secret can be used in Ingress resources or other resources in the cluster that require TLS certificates. With cert-manager managing your certificates, certificate renewal and other management tasks are automated according to the issuer's and certificate's configuration.

Remember that in production, you would likely use a different type of issuer, such as an ACME issuer, which allows you to obtain certificates from Let's Encrypt or another CA that supports the ACME protocol. The self-signed issuer is mainly useful for testing purposes or for non-production environments.