How do I secure Grafana with cert-manager on Kubernetes?
In this guide, we will deploy Grafana on a Kubernetes cluster and secure it using cert-manager for managing SSL/TLS certificates. We will cover the following steps:
- Deploy cert-manager to manage certificates.
- Deploy Grafana and configure it to use the certificates managed by cert-manager.
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Define the namespace for cert-manager
const certManagerNamespace = new k8s.core.v1.Namespace("cert-manager", {
metadata: { name: "cert-manager" },
});
// Deploy cert-manager using Helm
const certManager = new k8s.helm.v3.Chart("cert-manager", {
chart: "cert-manager",
version: "v1.5.3",
fetchOpts: {
repo: "https://charts.jetstack.io",
},
namespace: certManagerNamespace.metadata.name,
values: {
installCRDs: true,
},
});
// Define a ClusterIssuer for cert-manager
const clusterIssuer = new k8s.apiextensions.CustomResource("letsencrypt-issuer", {
apiVersion: "cert-manager.io/v1",
kind: "ClusterIssuer",
metadata: { name: "letsencrypt-issuer" },
spec: {
acme: {
server: "https://acme-v02.api.letsencrypt.org/directory",
email: "your-email@example.com",
privateKeySecretRef: {
name: "letsencrypt-account-key",
},
solvers: [
{
http01: {
ingress: {
class: "nginx",
},
},
},
],
},
},
});
// Define the namespace for Grafana
const grafanaNamespace = new k8s.core.v1.Namespace("grafana", {
metadata: { name: "grafana" },
});
// Deploy Grafana using Helm
const grafana = new k8s.helm.v3.Chart("grafana", {
chart: "grafana",
version: "6.17.4",
fetchOpts: {
repo: "https://grafana.github.io/helm-charts",
},
namespace: grafanaNamespace.metadata.name,
values: {
ingress: {
enabled: true,
annotations: {
"kubernetes.io/ingress.class": "nginx",
"cert-manager.io/cluster-issuer": "letsencrypt-issuer",
},
hosts: ["grafana.example.com"],
tls: [
{
secretName: "grafana-tls",
hosts: ["grafana.example.com"],
},
],
},
},
});
// Define an Ingress resource for Grafana
const grafanaIngress = new k8s.networking.v1.Ingress("grafana-ingress", {
metadata: {
namespace: grafanaNamespace.metadata.name,
annotations: {
"kubernetes.io/ingress.class": "nginx",
"cert-manager.io/cluster-issuer": "letsencrypt-issuer",
},
},
spec: {
rules: [
{
host: "grafana.example.com",
http: {
paths: [
{
path: "/",
pathType: "Prefix",
backend: {
service: {
name: "grafana",
port: {
number: 80,
},
},
},
},
],
},
},
],
tls: [
{
hosts: ["grafana.example.com"],
secretName: "grafana-tls",
},
],
},
});
Key Points
- cert-manager is deployed to manage SSL/TLS certificates.
- A ClusterIssuer is defined to use Let’s Encrypt for obtaining certificates.
- Grafana is deployed with an Ingress resource configured to use the certificates managed by cert-manager.
Summary
We successfully deployed Grafana on Kubernetes and secured it using cert-manager to manage SSL/TLS certificates. The Ingress resource for Grafana is configured to use Let’s Encrypt certificates provided by cert-manager.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.