How do I configure DNS01 challenge providers within Cert-Manager for Kubernetes?
In this guide, we will configure DNS01 challenge providers within Cert-Manager for Kubernetes using Pulumi. Cert-Manager is a powerful Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. DNS01 challenge providers are used to verify domain ownership by creating a DNS record in the domain’s DNS zone.
Steps to Configure DNS01 Challenge Providers
- Install Cert-Manager: First, we’ll deploy Cert-Manager in our Kubernetes cluster.
- Create DNS Provider Secret: We’ll create a Kubernetes secret to hold the credentials for our DNS provider.
- Create Issuer: We’ll create an Issuer resource in Kubernetes to define how certificates will be issued using the DNS01 challenge.
Below is the Pulumi program that accomplishes these steps:
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Step 1: Install Cert-Manager
const certManagerNamespace = new k8s.core.v1.Namespace("cert-manager", {
metadata: { name: "cert-manager" },
});
const certManager = new k8s.helm.v3.Chart("cert-manager", {
chart: "cert-manager",
version: "v1.5.3",
fetchOpts: {
repo: "https://charts.jetstack.io",
},
namespace: certManagerNamespace.metadata.name,
values: {
installCRDs: true,
},
});
// Step 2: Create DNS Provider Secret
const dnsProviderSecret = new k8s.core.v1.Secret("dns-provider-secret", {
metadata: {
namespace: certManagerNamespace.metadata.name,
name: "cloudflare-api-token-secret",
},
stringData: {
apiToken: "<YOUR_CLOUDFLARE_API_TOKEN>", // Replace with your actual API token
},
});
// Step 3: Create Issuer
const dnsIssuer = new k8s.apiextensions.CustomResource("dns-issuer", {
apiVersion: "cert-manager.io/v1",
kind: "Issuer",
metadata: {
namespace: certManagerNamespace.metadata.name,
name: "letsencrypt-dns",
},
spec: {
acme: {
email: "your-email@example.com", // Replace with your email
server: "https://acme-v02.api.letsencrypt.org/directory",
privateKeySecretRef: {
name: "letsencrypt-dns-private-key",
},
solvers: [
{
dns01: {
cloudflare: {
email: "your-email@example.com", // Replace with your Cloudflare email
apiTokenSecretRef: {
name: dnsProviderSecret.metadata.name,
key: "apiToken",
},
},
},
},
],
},
},
});
Key Points
- Cert-Manager Installation: We used the Helm chart to install Cert-Manager in the Kubernetes cluster.
- DNS Provider Secret: A Kubernetes secret was created to securely store the DNS provider’s API token.
- Issuer Configuration: An Issuer resource was defined to use the DNS01 challenge with Cloudflare as the DNS provider.
Summary
In this guide, we configured DNS01 challenge providers within Cert-Manager for Kubernetes using Pulumi. We installed Cert-Manager, created a secret for the DNS provider, and set up an Issuer to use the DNS01 challenge for certificate issuance. This setup ensures automated and secure management of TLS certificates in your Kubernetes cluster.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.