[Infrastructure as Code (IaC) Pulumi] Use Pulumi kubernetes (K8S) Helm Chart to deploy cert-manager

cert-manager

cert-manager is the automate certificate management in cloud native environments. cert-manager builds on top of Kubernetes and OpenShift to provide X.509 certificates and issuers as first-class resource types.

This article is about how to use Pulumi, kubernetes (K8S) provider, Helm Chart and TypeScript SDK to deploy cert-manager within Kubernetes (K8S).

Features

Provide ‘certificates as a service’ securely to developers and applications working within your cluster.

• Supports Let’s Encrypt, HashiCorp Vault, Venafi and private PKI

• Easy to use Kubernetes-native certificate management

• Secure issuance of public and private certificates

• Simple to extend, if you need more control

• Actively developed, maintained and improved

Prerequisites

• Kubernetes (K8S)

  Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications.

  See Getting started | Kubernetes - https://kubernetes.io/docs/setup/ to leanr more.

• Pulumi - Modern Infrastructure as Code - https://www.pulumi.com/

  Pulumi is a modern infrastructure-as-code platform that allows you to use common programming languages, tools, and frameworks, to provision, update, and manage cloud infrastructure resources.

  Install the Pulumi - https://www.pulumi.com/ CLI.

  # Mac OS X
  $ brew install pulumi

  See Download and Install | Pulumi - https://www.pulumi.com/docs/get-started/install/ to learn more about others OS.

• Node.js - https://nodejs.org/en/

  Node.js® is a JavaScript runtime built on Chrome’s V8 JavaScript engine.

  Install Node.js - https://nodejs.org/en/ CLI.

  # Mac OS X
  $ brew install node

  See Node.js - https://nodejs.org/en/ to learn more about others OS.

Usage

Pulumi New

Create the workspace directory.

$ mkdir -p col-example-pulumi-typescript-cert-manager

$ cd col-example-pulumi-typescript-cert-manager

Pulumi login into local file system.

$ pulumi login file://.
Logged in to cloudolife as cloudolife (file://.)
or visit https://pulumi.com/docs/reference/install/ for manual instructions and release notes.

Pulumi new a project with kubernetes-typescript SDK.

$ pulumi new kubernetes-typescript

The above command will create some files within the current directory.

tree . -L 1
.
├── node_modules/
├── package.json
├── package.json.lock
├── Pulumi.dev.yaml
├── Pulumi.yaml
└── main.ts

Install js-yaml package to load and parse yaml file.

$ npm i js-yaml

Pulumi Configuration

Configure Kubernetes

By default, Pulumi will look for a kubeconfig file in the following locations, just like kubectl:

• The environment variable: $KUBECONFIG,

• Or in current user’s default kubeconfig directory: ~/.kube/config

If the kubeconfig file is not in either of these locations, Pulumi will not find it, and it will fail to authenticate against the cluster. Set one of these locations to a valid kubeconfig file, if you have not done so already.

Configure Values.yaml

Edit values.yaml and replace content within {{ }}.

# cert-manager/values.yaml at master · jetstack/cert-manager
# https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml

installCRDs: true

See and modify main.ts file.

// main.ts

import * as pulumi from "@pulumi/pulumi";

import * as k8s from "@pulumi/kubernetes";

const yaml = require('js-yaml');
const fs   = require('fs');

const nameCertManager = "cert-manager"

// kubernetes.core/v1.Namespace | Pulumi
// https://www.pulumi.com/docs/reference/pkg/kubernetes/core/v1/namespace/
const namespaceCertManager = new k8s.core.v1.Namespace(nameCertManager, {
    metadata: {
        name: nameCertManager,
    },
})

const values = yaml.safeLoad(fs.readFileSync("./values.yaml", 'utf8'))

const charNameCertManager = "cert-manager"

// kubernetes.helm.sh/v3.Chart | Pulumi
// https://www.pulumi.com/docs/reference/pkg/kubernetes/helm/v3/chart/

// cert-manager
// https://cert-manager.io/
// cert-manager 1.4.0 · cert-manager/cert-manager
// https://artifacthub.io/packages/helm/cert-manager/cert-manager
const charCertManager = new k8s.helm.v3.Chart(charNameCertManager, {
    chart: charNameCertManager,
    version: "1.4.0",
    fetchOpts:{
        repo: "https://charts.jetstack.io",
    },
    namespace: namespaceCertManager.metadata.name,
    values: values,
});

Pulumi Up

Run pulumi up to create the namespace and pods.

$ pulumi up

See pods about cert-manager.

$ kubectl get pods -n cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-5d7f97b46d-pd8vl              1/1     Running   0          149m
cert-manager-cainjector-69d885bf55-qvgxt   1/1     Running   0          149m
cert-manager-webhook-54754dcdfd-kpmzl      1/1     Running   0          149m

Pulumi Destroy

Destroy all resources created by Pulumi.

$ pulumi destroy

References

[1] cert-manager - https://cert-manager.io/

[2] Helm | cert-manager - https://cert-manager.io/docs/installation/helm/

[3] cert-manager 1.5.3 · cert-manager/cert-manager - https://artifacthub.io/packages/helm/cert-manager/cert-manager

[4] cert-manager/values.yaml at master · jetstack/cert-manager - https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml

[5] jetstack/cert-manager: Automatically provision and manage TLS certificates in Kubernetes - https://github.com/jetstack/cert-manager

[6] Kubernetes Getting Started | Pulumi - https://www.pulumi.com/docs/get-started/kubernetes/

[7] Pulumi - Modern Infrastructure as Code - https://www.pulumi.com/

[8] Kubernetes - https://kubernetes.io/

[9] TypeScript: Typed JavaScript at Any Scale. - https://www.typescriptlang.org/