How do I enable automatic certificate renewal with cert-manager Issuers?
In this guide, we will set up automatic TLS certificate renewal in a Kubernetes cluster using cert-manager Issuers. This will ensure that your TLS certificates are always up to date without manual intervention. We’ll use Pulumi to define and deploy the necessary resources.
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Create a namespace for cert-manager
const certManagerNamespace = new k8s.core.v1.Namespace("cert-manager", {
metadata: {
name: "cert-manager",
},
});
// Install the cert-manager Helm chart
const certManager = new k8s.helm.v3.Chart("cert-manager", {
chart: "cert-manager",
version: "v1.5.3",
fetchOpts: {
repo: "https://charts.jetstack.io",
},
namespace: certManagerNamespace.metadata.name,
values: {
installCRDs: true,
},
});
// Define a ClusterIssuer for Let's Encrypt
const letsEncryptIssuer = new k8s.apiextensions.CustomResource("letsencrypt-issuer", {
apiVersion: "cert-manager.io/v1",
kind: "ClusterIssuer",
metadata: {
name: "letsencrypt-prod",
},
spec: {
acme: {
email: "your-email@example.com", // Replace with your email
server: "https://acme-v02.api.letsencrypt.org/directory",
privateKeySecretRef: {
name: "letsencrypt-prod-private-key",
},
solvers: [{
http01: {
ingress: {
class: "nginx",
},
},
}],
},
},
}, { dependsOn: certManager });
// Define a Certificate resource to use the ClusterIssuer
const tlsCertificate = new k8s.apiextensions.CustomResource("tls-certificate", {
apiVersion: "cert-manager.io/v1",
kind: "Certificate",
metadata: {
name: "example-com-tls",
namespace: "default",
},
spec: {
secretName: "example-com-tls-secret",
issuerRef: {
name: "letsencrypt-prod",
kind: "ClusterIssuer",
},
commonName: "example.com",
dnsNames: ["example.com", "www.example.com"],
},
}, { dependsOn: letsEncryptIssuer });
export const certificateSecretName = tlsCertificate.metadata.name;
Key Points
- Namespace Creation: We create a namespace for cert-manager to isolate its components.
- Helm Chart Installation: We use the Helm chart to install cert-manager and its Custom Resource Definitions (CRDs).
- ClusterIssuer Definition: We define a
ClusterIssuer
resource for Let’s Encrypt, specifying the ACME server and email for notifications. - Certificate Resource: We create a
Certificate
resource that references theClusterIssuer
to automatically manage and renew the TLS certificate for the specified domain.
Summary
We have automated the process of obtaining and renewing TLS certificates using cert-manager in a Kubernetes cluster. By defining a ClusterIssuer
and a Certificate
resource, we ensure that our certificates are managed and renewed automatically, reducing the risk of downtime due to expired certificates.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.