1. Answers
  2. Enabling automatic certificate renewal with cert-manager Issuers

How do I enable automatic certificate renewal with cert-manager Issuers?

In this guide, we will set up automatic TLS certificate renewal in a Kubernetes cluster using cert-manager Issuers. This will ensure that your TLS certificates are always up to date without manual intervention. We’ll use Pulumi to define and deploy the necessary resources.

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Create a namespace for cert-manager
const certManagerNamespace = new k8s.core.v1.Namespace("cert-manager", {
    metadata: {
        name: "cert-manager",
    },
});

// Install the cert-manager Helm chart
const certManager = new k8s.helm.v3.Chart("cert-manager", {
    chart: "cert-manager",
    version: "v1.5.3",
    fetchOpts: {
        repo: "https://charts.jetstack.io",
    },
    namespace: certManagerNamespace.metadata.name,
    values: {
        installCRDs: true,
    },
});

// Define a ClusterIssuer for Let's Encrypt
const letsEncryptIssuer = new k8s.apiextensions.CustomResource("letsencrypt-issuer", {
    apiVersion: "cert-manager.io/v1",
    kind: "ClusterIssuer",
    metadata: {
        name: "letsencrypt-prod",
    },
    spec: {
        acme: {
            email: "your-email@example.com", // Replace with your email
            server: "https://acme-v02.api.letsencrypt.org/directory",
            privateKeySecretRef: {
                name: "letsencrypt-prod-private-key",
            },
            solvers: [{
                http01: {
                    ingress: {
                        class: "nginx",
                    },
                },
            }],
        },
    },
}, { dependsOn: certManager });

// Define a Certificate resource to use the ClusterIssuer
const tlsCertificate = new k8s.apiextensions.CustomResource("tls-certificate", {
    apiVersion: "cert-manager.io/v1",
    kind: "Certificate",
    metadata: {
        name: "example-com-tls",
        namespace: "default",
    },
    spec: {
        secretName: "example-com-tls-secret",
        issuerRef: {
            name: "letsencrypt-prod",
            kind: "ClusterIssuer",
        },
        commonName: "example.com",
        dnsNames: ["example.com", "www.example.com"],
    },
}, { dependsOn: letsEncryptIssuer });

export const certificateSecretName = tlsCertificate.metadata.name;

Key Points

  • Namespace Creation: We create a namespace for cert-manager to isolate its components.
  • Helm Chart Installation: We use the Helm chart to install cert-manager and its Custom Resource Definitions (CRDs).
  • ClusterIssuer Definition: We define a ClusterIssuer resource for Let’s Encrypt, specifying the ACME server and email for notifications.
  • Certificate Resource: We create a Certificate resource that references the ClusterIssuer to automatically manage and renew the TLS certificate for the specified domain.

Summary

We have automated the process of obtaining and renewing TLS certificates using cert-manager in a Kubernetes cluster. By defining a ClusterIssuer and a Certificate resource, we ensure that our certificates are managed and renewed automatically, reducing the risk of downtime due to expired certificates.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up