1. Answers
  2. Securing Grafana with cert-manager on Kubernetes

How do I secure Grafana with cert-manager on Kubernetes?

In this guide, we will deploy Grafana on a Kubernetes cluster and secure it using cert-manager for managing SSL/TLS certificates. We will cover the following steps:

  1. Deploy cert-manager to manage certificates.
  2. Deploy Grafana and configure it to use the certificates managed by cert-manager.
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Define the namespace for cert-manager
const certManagerNamespace = new k8s.core.v1.Namespace("cert-manager", {
    metadata: { name: "cert-manager" },
});

// Deploy cert-manager using Helm
const certManager = new k8s.helm.v3.Chart("cert-manager", {
    chart: "cert-manager",
    version: "v1.5.3",
    fetchOpts: {
        repo: "https://charts.jetstack.io",
    },
    namespace: certManagerNamespace.metadata.name,
    values: {
        installCRDs: true,
    },
});

// Define a ClusterIssuer for cert-manager
const clusterIssuer = new k8s.apiextensions.CustomResource("letsencrypt-issuer", {
    apiVersion: "cert-manager.io/v1",
    kind: "ClusterIssuer",
    metadata: { name: "letsencrypt-issuer" },
    spec: {
        acme: {
            server: "https://acme-v02.api.letsencrypt.org/directory",
            email: "your-email@example.com",
            privateKeySecretRef: {
                name: "letsencrypt-account-key",
            },
            solvers: [
                {
                    http01: {
                        ingress: {
                            class: "nginx",
                        },
                    },
                },
            ],
        },
    },
});

// Define the namespace for Grafana
const grafanaNamespace = new k8s.core.v1.Namespace("grafana", {
    metadata: { name: "grafana" },
});

// Deploy Grafana using Helm
const grafana = new k8s.helm.v3.Chart("grafana", {
    chart: "grafana",
    version: "6.17.4",
    fetchOpts: {
        repo: "https://grafana.github.io/helm-charts",
    },
    namespace: grafanaNamespace.metadata.name,
    values: {
        ingress: {
            enabled: true,
            annotations: {
                "kubernetes.io/ingress.class": "nginx",
                "cert-manager.io/cluster-issuer": "letsencrypt-issuer",
            },
            hosts: ["grafana.example.com"],
            tls: [
                {
                    secretName: "grafana-tls",
                    hosts: ["grafana.example.com"],
                },
            ],
        },
    },
});

// Define an Ingress resource for Grafana
const grafanaIngress = new k8s.networking.v1.Ingress("grafana-ingress", {
    metadata: {
        namespace: grafanaNamespace.metadata.name,
        annotations: {
            "kubernetes.io/ingress.class": "nginx",
            "cert-manager.io/cluster-issuer": "letsencrypt-issuer",
        },
    },
    spec: {
        rules: [
            {
                host: "grafana.example.com",
                http: {
                    paths: [
                        {
                            path: "/",
                            pathType: "Prefix",
                            backend: {
                                service: {
                                    name: "grafana",
                                    port: {
                                        number: 80,
                                    },
                                },
                            },
                        },
                    ],
                },
            },
        ],
        tls: [
            {
                hosts: ["grafana.example.com"],
                secretName: "grafana-tls",
            },
        ],
    },
});

Key Points

  • cert-manager is deployed to manage SSL/TLS certificates.
  • A ClusterIssuer is defined to use Let’s Encrypt for obtaining certificates.
  • Grafana is deployed with an Ingress resource configured to use the certificates managed by cert-manager.

Summary

We successfully deployed Grafana on Kubernetes and secured it using cert-manager to manage SSL/TLS certificates. The Ingress resource for Grafana is configured to use Let’s Encrypt certificates provided by cert-manager.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up