1. Using kubernetes config.istio.io with cert-manager.k8s.cloudflare.com

    TypeScript

    When you want to manage certificates within a Kubernetes cluster, especially for services meshed with Istio, cert-manager comes in as a helpful tool. It takes care of issuing and renewing certificates automatically, managing them as Kubernetes resources. With Pulumi's Kubernetes provider, you can instantiate these resources programmatically to align with the desired state of your cluster configuration.

    For istio (config.istio.io), you'll often work with resources to configure different aspects of Istio, but for TLS certificates specifically, you'll use resources within your Kubernetes cluster CRDs and Secrets, so Istio can use them to secure service communication.

    The cert-manager.k8s.cloudflare.com implies that you're looking to integrate Cloudflare as a certificate authority into your cert-manager setup. This usually means setting up an issuer that uses the Cloudflare for acquiring certificates.

    Here's a TypeScript Pulumi program demonstrating how you could set up cert-manager with a Cloudflare issuer and configure an Istio Gateway to use the certificates provided by cert-manager.

    import * as k8s from "@pulumi/kubernetes"; // Assuming you have a preconfigured K8s cluster context const provider = new k8s.Provider("provider", { /* ... */ }); // Install cert-manager Helm chart const certManagerChart = new k8s.helm.v3.Chart("cert-manager", { chart: "cert-manager", version: "v1.5.3", // Use the appropriate version namespace: "cert-manager", fetchOpts: { repo: "https://charts.jetstack.io", }, }, { provider }); // Create a Cloudflare Issuer const cloudflareIssuer = new k8s.apiextensions.CustomResource("cloudflare-issuer", { apiVersion: "cert-manager.io/v1", kind: "Issuer", metadata: { name: "cloudflare-issuer" }, spec: { acme: { server: 'https://acme-v02.api.letsencrypt.org/directory', // Let's Encrypt ACME server email: 'youremail@example.com', // Replace with your email privateKeySecretRef: { name: 'cloudflare-account-key', }, solvers: [ { http01: { ingress: { class: 'istio', }, }, }, ], }, }, }, { provider, dependsOn: [certManagerChart] }); // Create a Certificate resource to request a certificate from Cloudflare const certificate = new k8s.apiextensions.CustomResource("example-com-certificate", { apiVersion: "cert-manager.io/v1", kind: "Certificate", metadata: { name: "example-com", namespace: "default", }, spec: { secretName: "example-com-tls", dnsNames: ["example.com"], // Replace with your domain names issuerRef: { name: "cloudflare-issuer", kind: "Issuer", }, }, }, { provider }); // Sample Istio Gateway configuration using the managed certificate const istioGateway = new k8s.apiextensions.CustomResource("istio-gateway", { apiVersion: "networking.istio.io/v1alpha3", kind: "Gateway", metadata: { name: "gateway", }, spec: { selector: { istio: "ingressgateway", // select istio ingress gateway pods }, servers: [{ port: { number: 443, name: "https", protocol: "HTTPS", }, hosts: ["example.com"], // Replace with your domain names tls: { mode: "SIMPLE", credentialName: "example-com-tls", // Name of the secret that holds your certificate }, }], }, }, { provider, dependsOn: [certificate] }); // Export the gateway's name export const gatewayName = istioGateway.metadata.name;

    This Pulumi program performs the following actions:

    • Installs cert-manager in your Kubernetes cluster using the official Helm chart.
    • Creates a Cloudflare issuer recognized by cert-manager. It uses HTTP01 challenge mode, specifically configured to work with Istio's ingress, to verify domain ownership.
    • Defines a Certificate resource that requests a TLS certificate for example.com from the configured Cloudflare issuer. The resulting certificate and key will be stored in a Secret named example-com-tls.
    • Configures an Istio Gateway, which will handle incoming traffic on port 443 and utilize the example-com-tls Secret to secure the traffic with TLS.

    In both the issuer and the certificate resource, update the email and dnsNames with your own details. You also have to make sure that your Kubernetes cluster has Istio and cert-manager installed and configured correctly.

    Before you run this program, you'll need to install Pulumi and set up the Kubernetes provider. After that, you can run pulumi up to deploy this configuration to your cluster.