Deploy the jaeger-cert-manager helm chart on Google Kubernetes Engine (GKE)
TypeScriptTo deploy the Jaeger Helm chart with the
cert-manager
for SSL certificates on Google Kubernetes Engine (GKE), you'll need to follow these steps:- Set up a GKE cluster.
- Install
cert-manager
Helm chart which is a prerequisite for automatically managing certificates. - Deploy the Jaeger Helm chart with the appropriate configuration to use
cert-manager
.
Below is a Pulumi program written in TypeScript that demonstrates how to accomplish these steps.
Pulumi Program Explanation
Before writing the Pulumi code, ensure you have set up:
- Pulumi CLI and account: Make sure that you have Pulumi CLI installed and have an account set up. Log in via the CLI to your Pulumi account.
- Google Cloud SDK: Install and configure the
gcloud
tool with the credentials necessary for Pulumi to access your GKE resources.
The following Pulumi program defines:
- A new GKE cluster resource.
- A Kubernetes provider that uses the created GKE cluster's kubeconfig.
- The
cert-manager
Helm chart installation into the GKE cluster. - The Jaeger Helm chart installation with a reference to
cert-manager
for certificates.
Google Kubernetes Engine (GKE) Cluster Creation
The program begins by creating a new GKE cluster using the
google-native.container/v1beta1.Cluster
resource. This will set up a Kubernetes cluster in GCP.Kubernetes Provider Configuration
The Kubernetes provider allows Pulumi to deploy resources to the GKE cluster. The provider needs the kubeconfig generated from the newly created GKE cluster to interact with it.
Cert-Manager Helm Chart Installation
After setting up the GKE cluster and Kubernetes provider,
cert-manager
is installed using thekubernetes-cert-manager.CertManager
Helm chart. This sets up the certificate management on the cluster that Jaeger requires to operate with TLS.Jaeger Helm Chart Deployment
Finally, the Jaeger Helm chart is deployed using the
harness.service.Helm
Helm chart. The configuration for the chart should specify thatcert-manager
is used to manage its certificates.Let's go ahead and see the code for these steps:
import * as pulumi from '@pulumi/pulumi'; import * as gcp from '@pulumi/gcp'; import * as k8s from '@pulumi/kubernetes'; // Step 1: Create a GKE cluster const cluster = new gcp.container.Cluster("gke-cluster", { initialNodeCount: 2, minMasterVersion: "latest", nodeVersion: "latest", nodeConfig: { machineType: "n1-standard-1", oauthScopes: [ "https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring" ], }, }); // Export the cluster's kubeconfig export const kubeconfig = pulumi.all([cluster.name, cluster.endpoint, cluster.masterAuth]).apply( ([name, endpoint, masterAuth]) => { const context = `${gcp.config.project}_${gcp.config.zone}_${name}`; return `apiVersion: v1 clusters: - cluster: certificate-authority-data: ${masterAuth.clusterCaCertificate} server: https://${endpoint} name: ${context} contexts: - context: cluster: ${context} user: ${context} name: ${context} current-context: ${context} kind: Config preferences: {} users: - name: ${context} user: auth-provider: config: cmd-args: config config-helper --format=json cmd-path: gcloud expiry-key: '{.credential.token_expiry}' token-key: '{.credential.access_token}' name: gcp `; } ); // Step 2: Create a Kubernetes Provider instance using the GKE cluster's kubeconfig const k8sProvider = new k8s.Provider("k8s-provider", { kubeconfig: kubeconfig, }); // Step 3: Install the 'cert-manager' helm chart const certManagerChart = new k8s.helm.v3.Chart("cert-manager", { chart: "cert-manager", version: "v1.4.0", namespace: "cert-manager", fetchOpts:{ repo: "https://charts.jetstack.io", }, }, { provider: k8sProvider }); // Ensure the 'cert-manager' services are running before deploying Jaeger helm chart const certManagerDeployment = certManagerChart.getResource("v1/Service", "cert-manager", "cert-manager-webhook"); // Step 4: Deploy the Jaeger helm chart configured to use 'cert-manager' for SSL const jaegerChart = new k8s.helm.v3.Chart("jaeger", { chart: "jaeger", version: "2.19.0", namespace: "monitoring", fetchOpts: { repo: "https://jaegertracing.github.io/helm-charts", }, values: { // You should configure these values according to your Jaeger setup requirements // and make sure to annotate Jaeger's components with the appropriate cert-manager annotations. }, // Make sure Jaeger is installed after cert-manager }, { provider: k8sProvider, dependsOn: certManagerDeployment }); // Export the Jaeger service URL, once available export const jaegerUrl = jaegerChart .getResourceProperty("v1/Service", "monitoring", "jaeger-agent") .apply(svc => svc.status.loadBalancer.ingress[0].hostname);
Here are the explanations for some of the components:
fetchOpts.repo
specifies the Helm repository where the chart is located.values
in the Helm chart declarations are where you configure the chart with the appropriate values for your setup. For Jaeger, make sure to include the necessary annotations or values forcert-manager
to generate and manage the SSL certificates.
Execution
To execute this Pulumi program, you need to:
- Save this code into a file with a
.ts
extension (for example,deploy-jaeger-gke.ts
). - Run
pulumi up
command in your terminal — this command will provision all the resources specified in the program. - After successful completion, Pulumi will output any exported values, such as the Jaeger service URL.
Make sure you review the changes before selecting 'yes' to apply them since this will incur in Google Cloud Platform costs.
Post-Deployment
Once the deployment finishes, you will need to configure your DNS or ingress controller to properly route traffic to the Jaeger service. The exported
jaegerUrl
is the address you will use for these configurations or for direct access.Always remember to check the Helm chart documentations for
cert-manager
and Jaeger to ensure you have the most suitable configuration for your needs.This Pulumi program should give you a foundational setup for Jaeger on GKE with SSL certificates managed by
cert-manager
.