cert-manager provides Kubernetes native certificate management. It automates provisioning of certificates from configurable issuers and renews these certificates before expiry to keep them valid and up to date.
This Terraform module helps platform engineering teams provision cert-manager on Kubernetes. It fully integrates the upstream Kubernetes resources into the Terraform plan/apply lifecycle and allows configuring cert-manager using native Terraform syntax.
The cert-manager module is continuously updated and tested when new upstream versions are released.
TL;DR:
kbst add service cert-manager
to add cert-manager to your platformkbst
CLI scaffolds the Terraform module boilerplate for youThe kbst
CLI helps you scaffold the Terraform code to provision cert-manager on your platform.
It takes care of calling the module once per cluster, and sets the correct source
and latest version
for the module.
And it also makes sure the module's configuration
and configuration_base_key
match your platform.
# add cert-manager service to all platform clusterskbst add service cert-manager
# or optionally only add cert-manager to a single cluster# 1. list existing platform moduleskbst listaks_gc0_westeuropeeks_gc0_eu-west-1gke_gc0_europe-west1
# 2. add cert-manager to a single clusterkbst add service cert-manager --cluster-name aks_gc0_westeurope
Scaffolding the boilerplate is convenient, but platform service modules are fully documented, standard Terraform modules. They can also be used standalone without the Kubestack framework.
All Kubestack platform service modules support the same module attributes and configuration as all Kubestack modules. The module configuration is a Kustomization set in the per environment configuration map following Kubestack's inheritance model.
The example below shows some options to customize the resources provisioned by the cert-manager module.
module "example_cert_manager" { providers = { kustomization = kustomization.example } source = "kbst.xyz/catalog/cert-manager/kustomization" version = "1.15.1-kbst.0" configuration = { apps = {+ # change the namespace of all resources+ namespace = var.example_cert_manager_namespace++ # or add an annotation+ common_annotations = {+ "terraform-workspace" = terraform.workspace+ }++ # use images to pull from an internal proxy+ # and avoid being rate limited+ images = [{+ # refers to the 'pod.spec.container.name' to modify the 'image' attribute of+ name = "container-name"+ + # customize the 'registry/name' part of the image+ new_name = "reg.example.com/nginx"+ }] } ops = {+ # scale down replicas in ops+ replicas = [{+ # refers to the 'metadata.name' of the resource to scale+ name = "example"+ + # sets the desired number of replicas+ count = 1+ }] } }}
In addition to the example attributes shown above, modules also support secret_generator
, config_map_generator
, patches
and many other Kustomization attributes.
Full documentation how to customize a module's Kubernetes resources is available in the platform service module configuration section of the framework documentation.
A common requirement is to install cert-manager and a ClusterIssuer
.
The Kubestack cert-manager module supports this using the additional_resources
attribute.
First create a YAML file in manifests/cluster-issuer.yaml
with the ClusterIssuer
configurations.
This example is for Let's Encrypt.
apiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: name: letsencryptspec: acme: # You must replace this email address with your own. # Let's Encrypt will use this to contact you about expiring # certificates, and issues related to your account. email: user@example.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: # Secret resource that will be used to store the account's private key. name: letsencrypt-account-key # Add a single challenge solver, HTTP01 using nginx solvers: - http01: ingress: class: nginx
Then we add additional_resources
to all cert-manager modules to provision the ClusterIssuer
manifest with the bundled upstream resources.
module "example_cert_manager" { providers = { kustomization = kustomization.example } source = "kbst.xyz/catalog/cert-manager/kustomization" version = "1.11.0-kbst.0" configuration = { apps = {+ additional_resources = ["${path.root}/manifests/cluster-issuer.yaml"] } ops = {} }}
Optionally, you can also patch the ClusterIssuer
to use Let's Encrypt staging for ops.
module "example_cert_manager" { providers = { kustomization = kustomization.example } source = "kbst.xyz/catalog/cert-manager/kustomization" version = "1.11.0-kbst.0" configuration = { apps = { additional_resources = ["${path.root}/manifests/cluster-issuer.yaml"] } ops = {+ patches = [+ {+ patch = <<-EOF+ - op: replace+ path: /spec/acme/server+ value: https://acme-staging-v02.api.letsencrypt.org/directory+ EOF+ + target = {+ group = "cert-manager.io"+ version = "v1"+ kind = "ClusterIssuer"+ name = "letsencrypt"+ }+ }+ ] } }}
The Kubestack platform engineering guides have step-by-step instructions how to enable Ingress with automated certificates for your platform.