DEV Community: Vitalii Liubimov The latest articles on DEV Community by Vitalii Liubimov (@vitalii_liubimov_2bd0af64). https://dev.to/vitalii_liubimov_2bd0af64 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2955273%2F4222a7d3-8c8d-4158-9088-08f42ca272d6.png DEV Community: Vitalii Liubimov https://dev.to/vitalii_liubimov_2bd0af64 en Automating APISIX TLS Secrets with CertManager using Argo Events: A Hands-On Guide Vitalii Liubimov Tue, 27 May 2025 16:34:04 +0000 https://dev.to/vitalii_liubimov_2bd0af64/automating-apisix-tls-secrets-with-certmanager-using-argo-events-a-hands-on-guide-2a1m https://dev.to/vitalii_liubimov_2bd0af64/automating-apisix-tls-secrets-with-certmanager-using-argo-events-a-hands-on-guide-2a1m <p>When it comes to managing APIs in Kubernetes, APISIX offers a powerful and flexible platform. Recently, I encountered a unique challenge while integrating TLS certificates with APISIX,specially when automating certificate updates managed by cert-manager. cert-manager generates secrets in a standardized format (<code>tls.crt</code>, <code>tls.key</code>, <code>ca.crt</code>), but APISIX expects a different format: (<code>cert</code>, <code>key</code>) - <a href="https://apisix.apache.org/docs/ingress-controller/concepts/apisix_tls/" rel="noopener noreferrer"><code>ApisixTls CRD</code></a>. Here's my journey and the solution that eventually worked, with Argo Events providing a real-time, automated workflow.</p> <h2> Problem Overview </h2> <p><strong>Challenge</strong>: cert-manager automatically generates and renews certificates but stores them in a Kubernetes Secret object with keys like <code>tls.crt</code> and <code>tls.key</code>. However, APISIX requires a specific format - a Kubernetes secret with keys named <code>cert</code> (for the certificate) and <code>key</code> (for the private key) - interesting why Apache APISIX? Without the correct format, APISIX wouldn't be able to use the updated certificates.</p> <p><strong>Possible solutions</strong>:</p> <ul> <li>When provisioning with Terraform, you can create the Secret and ApisixTls CRD using an intermediate secret. However, remapping the TLS secret during Terraform provisioning doesn’t update the mapped secret and can only handle the key’s state.</li> </ul> <p><strong>Goals</strong>:</p> <ol> <li>Automate the TLS certificate injection into APISIX.</li> <li>Ensure the process triggers whenever a TLS secret is updated or created by cert-manager.</li> <li>Use Argo Events to listen for changes in TLS secrets, transforming them and injecting them in the APISIX-compatible format.</li> </ol> <h2> Solution Architecture Overview </h2> <p>Here's how the solution is structured:</p> <ol> <li>cert-manager generates the TLS certificates.</li> <li>Argo Events listens for events related to TLS secret creation or updates and sends corresponding API requests to the APISIX Admin API.</li> <li>APISIX ingests the transformed secrets and applies them automatically.</li> </ol> <h2> Tools and Technologies </h2> <ul> <li> <strong>APISIX</strong>: Manages and routes API traffic.</li> <li> <strong>cert-manager</strong>: Manages and renews TLS certificates automatically.</li> <li> <strong>Argo Events</strong>: Observes changes in TLS secrets and triggers automation pipelines.</li> </ul> <h2> Prerequisites: Installing APISIX, cert-manager, and Argo Events </h2> <h3> Step 1: Install APISIX </h3> <p>To install APISIX, follow the <a href="https://apisix.apache.org/" rel="noopener noreferrer">APISIX documentation</a>. In this article, we assume you’ve installed APISIX with the Admin API in the gateway namespace.</p> <h3> Step 2: Set up cert-manager </h3> <p>cert-manager installation is straightforward using Helm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add jetstack https://charts.jetstack.io helm repo update helm <span class="nb">install </span>cert-manager jetstack/cert-manager <span class="nt">--namespace</span> cert-manager <span class="nt">--create-namespace</span> </code></pre> </div> <h3> Step 3: Install Argo Events </h3> <p>Argo Events can also be installed with Helm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add argo https://argoproj.github.io/argo-helm helm repo update helm <span class="nb">install </span>argo-events argo/argo-events <span class="nt">--namespace</span> argo <span class="nt">--create-namespace</span> </code></pre> </div> <blockquote> <p>The installation process is described briefly. Please refer to the corresponding documentation or contact me for<br> details.</p> </blockquote> <h2> Solution: Configuring Argo Events to Watch for cert-manager TLS Secrets </h2> <p>To make the solution work, I set up Argo Events to watch for changes in cert-manager's TLS secrets. Here's the YAML manifest setup I used to transform cert-manager secrets into a format compatible with APISIX.</p> <h3> Step 1: Create Service Account and Roles </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># serviceAccount.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argo-events-sa</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secrets-mapper-role</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">secrets"</span> <span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">*"</span> <span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argo-secret-mapper-role-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argo-events-sa</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-admin</span> </code></pre> </div> <h3> Step 2: Configure the EventBus </h3> <p>Define an EventBus to manage NATS messaging within Argo Events.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># eventBus.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">EventBus</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">nats</span><span class="pi">:</span> <span class="na">native</span><span class="pi">:</span> <span class="pi">{</span> <span class="pi">}</span> </code></pre> </div> <h3> Step 3: Set Up the Event Source for Watching TLS Secret Changes </h3> <p>This event source watches for any changes to Kubernetes TLS secrets annotated with apisix.io/tls. When it detects an<br> addition or update, it will trigger a transformation process.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># eventSource.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">EventSource</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secrets-mapper-event-source</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">argo-events-sa</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">apisix-tls-secret</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">resource</span><span class="pi">:</span> <span class="s">secrets</span> <span class="na">eventTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ADD</span> <span class="pi">-</span> <span class="s">UPDATE</span> <span class="pi">-</span> <span class="s">DELETE</span> <span class="na">filter</span><span class="pi">:</span> <span class="na">fields</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">metadata.annotations.apisix\.io\/tls</span> <span class="na">operation</span><span class="pi">:</span> <span class="s2">"</span><span class="s">="</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">apisix-mtls-secret</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">resource</span><span class="pi">:</span> <span class="s">secrets</span> <span class="na">eventTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ADD</span> <span class="pi">-</span> <span class="s">UPDATE</span> <span class="pi">-</span> <span class="s">DELETE</span> <span class="na">filter</span><span class="pi">:</span> <span class="na">fields</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">metadata.annotations.apisix\.io\/tls</span> <span class="na">operation</span><span class="pi">:</span> <span class="s2">"</span><span class="s">="</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mtls"</span> </code></pre> </div> <h3> Step 4: Create a secret with Admin token </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apisix-creds.yaml</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">apisix-admin-credentials</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo</span> <span class="na">data</span><span class="pi">:</span> <span class="na">admin</span><span class="pi">:</span> <span class="s">base64-encoded-apisix-admin-token</span> </code></pre> </div> <blockquote> <p>We use the reflector’s annotations to create the secret in the gateway namespace, automatically updating the secret in<br> the Argo namespace during credential rotation. That’s another story, though!</p> </blockquote> <h3> Step 5: Create the Sensor to Transform and Inject Secrets into APISIX </h3> <p>The sensor will transform the secret fields and inject them into APISIX. This involves reading the secret data,converting it to base64-decoded strings, and sending it to the APISIX admin API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># sensor.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Sensor</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tls-apisix-registrar</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">argo-events-sa</span> <span class="na">container</span><span class="pi">:</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">LOG_LEVEL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">error</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tls-secret</span> <span class="na">eventSourceName</span><span class="pi">:</span> <span class="s">secrets-mapper-event-source</span> <span class="na">eventName</span><span class="pi">:</span> <span class="s">apisix-tls-secret</span> <span class="na">transform</span><span class="pi">:</span> <span class="na">jq</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">.url = "http://apisix-admin.gateway.svc.cluster.local:9180/apisix/admin/ssls/" +</span> <span class="s">.body.metadata.annotations["cert-manager.io/certificate-name"] + "-" +</span> <span class="s">.body.metadata.namespace |</span> <span class="s">.method = if .type == "ADD" or .type == "UPDATE" then "PUT" else "DELETE" end |</span> <span class="s">.certs.cert = (.body.data["tls.crt"] | @base64d) |</span> <span class="s">.certs.key = (.body.data["tls.key"] | @base64d) |</span> <span class="s">.certs.snis = (.body.metadata.annotations["cert-manager.io/alt-names"] | split(",")) |</span> <span class="s">.certs.type = "server"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mtls-secret</span> <span class="na">eventSourceName</span><span class="pi">:</span> <span class="s">secrets-mapper-event-source</span> <span class="na">eventName</span><span class="pi">:</span> <span class="s">apisix-mtls-secret</span> <span class="na">transform</span><span class="pi">:</span> <span class="na">jq</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">.url = "http://apisix-admin.gateway.svc.cluster.local:9180/apisix/admin/ssls/" +</span> <span class="s">.body.metadata.annotations["cert-manager.io/certificate-name"] + "-" +</span> <span class="s">.body.metadata.namespace |</span> <span class="s">.method = if .type == "ADD" or .type == "UPDATE" then "PUT" else "DELETE" end |</span> <span class="s">.certs.cert = (.body.data["tls.crt"] | @base64d) |</span> <span class="s">.certs.key = (.body.data["tls.key"] | @base64d) |</span> <span class="s">.certs.ca = (.body.data["ca.crt"] | @base64d) |</span> <span class="s">.certs.snis = (.body.metadata.annotations["cert-manager.io/alt-names"] | split(",")) |</span> <span class="s">.certs.type = "server"</span> <span class="na">triggers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">template</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">log-trigger</span> <span class="na">conditions</span><span class="pi">:</span> <span class="s2">"</span><span class="s">tls-secret</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">mtls-secret"</span> <span class="na">log</span><span class="pi">:</span> <span class="na">intervalSeconds</span><span class="pi">:</span> <span class="m">20</span> <span class="pi">-</span> <span class="na">template</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">apisix-register-tls</span> <span class="na">conditions</span><span class="pi">:</span> <span class="s2">"</span><span class="s">tls-secret"</span> <span class="na">http</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{url}"</span> <span class="na">method</span><span class="pi">:</span> <span class="s2">"</span><span class="s">PUT"</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">content-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">application/json"</span> <span class="na">payload</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">tls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.snis</span> <span class="na">useRawData</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">snis</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">tls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.cert</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">cert</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">tls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.key</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">key</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">tls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.type</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">type</span> <span class="na">secureHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">X-API-KEY"</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">apisix-admin-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">tls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">url</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">http.url</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">tls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">method</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">http.method</span> <span class="pi">-</span> <span class="na">template</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">apisix-register-mtls</span> <span class="na">conditions</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mtls-secret"</span> <span class="na">http</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{url}"</span> <span class="na">method</span><span class="pi">:</span> <span class="s2">"</span><span class="s">PUT"</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">content-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">application/json"</span> <span class="na">payload</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">mtls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.snis</span> <span class="na">useRawData</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">snis</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">mtls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.cert</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">cert</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">mtls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.key</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">key</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">mtls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.type</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">type</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">mtls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">certs.ca</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">client.ca</span> <span class="na">secureHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">X-API-KEY"</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">apisix-admin-credentials</span> <span class="na">key</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">mtls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">url</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">http.url</span> <span class="pi">-</span> <span class="na">src</span><span class="pi">:</span> <span class="na">dependencyName</span><span class="pi">:</span> <span class="s">mtls-secret</span> <span class="na">dataKey</span><span class="pi">:</span> <span class="s">method</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">http.method</span> <span class="na">retryStrategy</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="m">3</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">policy</span><span class="pi">:</span> <span class="na">status</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">200</span> <span class="pi">-</span> <span class="m">201</span> </code></pre> </div> <p>Replace the Apisix Admin API url if it doesn't match your configuration: <a href="http://apisixadmin.gateway.svc.cluster.local:9180/" rel="noopener noreferrer">http://apisixadmin.gateway.svc.cluster.local:9180/</a></p> <p>Apply all manifests via kubectl or other tools.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> <span class="nb">.</span> </code></pre> </div> <h2> Result verification: </h2> <p>Check the pods on the argo namespace, verify specific pods are running and ready.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'bus|mapper|registrar'</span> eventbus-default-stan-0 2/2 Running 0 76m eventbus-default-stan-1 2/2 Running 0 76m eventbus-default-stan-2 2/2 Running 0 75m secrets-mapper-event-source-eventsource-wkrr9-7cd7d7d6cb-db74n 1/1 Running 0 76m tls-apisix-registrar-sensor-rwh7f-fcf8d5bcc-6qtsd 1/1 Running 0 18m </code></pre> </div> <h3> Testing certificate registration: </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># certificate/test.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Issuer</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">selfsigned-issuer</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selfSigned</span><span class="pi">:</span> <span class="pi">{</span> <span class="pi">}</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Certificate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">apisix-example-cert</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">apisix-example-tls</span> <span class="c1"># Name of the Secret that will be created</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">2160h</span> <span class="c1"># 90d</span> <span class="na">renewBefore</span><span class="pi">:</span> <span class="s">360h</span> <span class="c1"># 15d</span> <span class="na">commonName</span><span class="pi">:</span> <span class="s">example.com</span> <span class="na">dnsNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">example.com</span> <span class="pi">-</span> <span class="s">www.example.com</span> <span class="pi">-</span> <span class="s">api.example.com</span> <span class="na">issuerRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">selfsigned-issuer</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Issuer</span> <span class="na">secretTemplate</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">apisix.io/tls</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># annotation for eventsource</span> </code></pre> </div> <p>Apply the issuer and certificate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> ./certificate/ </code></pre> </div> <p>Verify the certificate added on Apisix Dashboard:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqak1e9vn063p8gt856sz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqak1e9vn063p8gt856sz.png" alt="Image description" width="800" height="382"></a><br> Delete the test certificate – verify it has been deleted on the APISIX Dashboard or API:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F69bpf7ma1go9v4rhudtt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F69bpf7ma1go9v4rhudtt.png" alt="Image description" width="800" height="382"></a></p> <p>For debugging, check the logs from the corresponding pod: <br> tls-apisix-registrar-sensor-…</p> <h3> Important Note: </h3> <blockquote> <p>This solution does not automatically register existing certificates in APISIX. To sync previously created certificates, you should:</p> <ol> <li>Delete the existing TLS Secret (managed by Cert-Manager).</li> <li>Let Cert-Manager recreate it - triggering Argo Events to register it in APISIX.</li> </ol> </blockquote> <h1> Conclusion: </h1> <p>Managing TLS certificates in Kubernetes can be complex, especially when integrating with API gateways like APISIX.<br> Cert-Manager simplifies certificate issuance and renewal, but APISIX requires certificates in a specific format – creating a need for automation.</p> <ul> <li>In this guide, we explored how Argo Events bridges this gap by:</li> <li>Detecting changes to Cert-Manager-generated TLS Secrets in real time.</li> <li>Transforming the certificate data into APISIX's expected format (cert and key).</li> <li>Automatically updating APISIX via its Admin API whenever a certificate is created, updated, or deleted.</li> </ul> <h3> Key Takeaways </h3> <p><strong>Fully Automated Certificate Sync</strong> - No manual intervention needed for new or renewed certificates.</p> <p><strong>Real-Time Updates</strong> - APISIX stays in sync with Cert-Manager without delays.</p> <p><strong>Scalable &amp; Kubernetes-Native</strong> - Works seamlessly with existing K8s tooling.</p> <h2> 🚀 Need a Production-Ready Kubernetes Solution? </h2> <p>I've battle-tested this solution in my platform <strong><a href="https://laralord.dev" rel="noopener noreferrer">Laralord.dev</a></strong> where the <strong>base package</strong> includes fully automated provisioning of:</p> <ul> <li>🚦 <strong>APISIX</strong> (API Gateway) </li> <li>🔐 <strong>Cert-Manager</strong> (TLS Automation) </li> <li>⚡ <strong>ArgoCD</strong> (GitOps) </li> <li>...and more!</li> </ul> <h3> ✨ Why Choose Laralord? </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Benefit</th> <th></th> </tr> </thead> <tbody> <tr> <td><strong>Pre-Configured Automation</strong></td> <td>APISIX and Cert-Manager ready out-of-the-box - save dozens of configuration hours</td> <td>⚙️</td> </tr> <tr> <td><strong>Simplified Deployments</strong></td> <td>Designed for Laravel but works with any app stack - perfect for SaaS/microservices</td> <td>🚀</td> </tr> <tr> <td><strong>Enterprise-Grade Infrastructure</strong></td> <td>Built-in multi-tenancy, auto-scaling and security hardening</td> <td>🔒</td> </tr> </tbody> </table></div> <p><a href="https://laralord.dev" rel="noopener noreferrer">👉 <strong>Visit Laralord.dev</strong></a> to supercharge your Kubernetes workflows today!</p> <h2> 📚 Further Reading </h2> <ul> <li><a href="https://apisix.apache.org/docs/ingress-controller/getting-started/" rel="noopener noreferrer">📄 APISIX Documentation</a></li> <li><a href="https://cert-manager.io/docs/getting-started/" rel="noopener noreferrer">🔧 Cert-Manager Best Practices</a></li> <li><a href="https://argoproj.github.io/argo-events/" rel="noopener noreferrer">⚡ Argo Events Triggers Guide</a></li> </ul> <p>💬 <strong>Have questions or experiences to share?</strong><br><br> Drop a comment below! 👇 We'd love to hear about your implementation!</p> devops apisix tls kubernetes