DEV Community

Cover image for Comprehensive Guide: Setting Up Cert-Manager on EKS, GKE, and AKS Using Terraform
marocz
marocz

Posted on

Comprehensive Guide: Setting Up Cert-Manager on EKS, GKE, and AKS Using Terraform

Introduction

Managing SSL/TLS certificates in a Kubernetes environment can be challenging. Cert-manager simplifies this by automating the process of obtaining, renewing, and using those certificates. This post will guide you through setting up cert-manager on three major Kubernetes services: Amazon EKS, Google GKE, and Azure AKS using Terraform.

What is Cert-Manager?

Cert-manager is a Kubernetes add-on that automates the management and issuance of TLS certificates from various issuing sources such as Let’s Encrypt. It ensures certificates are valid and up to date, renewing them before they expire.

Why Use Cert-Manager with Terraform?

  • Automation: Terraform automates the deployment and configuration of cert-manager across different cloud providers.
  • Consistency: Ensures a consistent setup across various Kubernetes environments.
  • Infrastructure as Code: Leverage the benefits of defining your Kubernetes resources and cert-manager configuration as code.

Step-by-Step Setup

Common Prerequisites

  • Terraform installed on your local machine.
  • Access to an existing Kubernetes cluster on EKS, GKE, or AKS.
  • kubectl installed and configured for cluster access.

Step 1: Define the Terraform Variable for the Issuer Email

Add the following variable to your Terraform configuration. This variable will be used for the Cert-Manager cluster issuer's email.

variable "ISSUER_EMAIL" {
  type        = string
  description = "cert manager cluster issuer email"
}
Enter fullscreen mode Exit fullscreen mode

Step 2: Deploy Cert-Manager Using Helm

Utilize the helm_release resource to deploy Cert-Manager into your EKS cluster:

resource "helm_release" "cert-manager" {
  name             = "cert-manager"
  repository       = "https://charts.jetstack.io"
  chart            = "cert-manager"
  version          = "v1.12.4"
  create_namespace = true
  namespace        = "cert-manager"
  cleanup_on_fail  = true

  set {
    name  = "installCRDs"
    value = true
  }
}
Enter fullscreen mode Exit fullscreen mode

Step 3: Create a ClusterIssuer Resource

After deploying Cert-Manager, define a kubernetes_manifest resource for the ClusterIssuer, using the email variable:

resource "kubernetes_manifest" "clusterissuer_letsencrypt_prod" {
  depends_on = [
    helm_release.cert-manager
  ]
  manifest = {
    "apiVersion" = "cert-manager.io/v1"
    "kind" = "ClusterIssuer"
    "metadata" = {
      "name" = "letsencrypt-prod"
    }
    "spec" = {
      "acme" = {
        "email" = var.ISSUER_EMAIL
        "privateKeySecretRef" = {
          "name" = "letsencrypt-prod"
        }
        "server" = "https://acme-v02.api.letsencrypt.org/directory"
        "solvers" = [
          {
            "http01" = {
              "ingress" = {
                "class" = "nginx"
              }
            }
          }
        ]
      }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Setting up Cert-Manager on Azure AKS,EKS, GKE using Terraform

The steps for setting up Cert-Manager on Azure AKS,EKS or GKE are similar to above, with the main difference being the specific configurations and credentials for the respective clouds. Ensure you have the Azure provider configured in your Terraform setup.

Image description

Step 1: Define the Terraform Variable

Ensure the ISSUER_EMAIL variable is present in your Azure Terraform configuration.

Step 2: Deploy Cert-Manager and Create a ClusterIssuer

Follow the same steps as in the EKS setup. The Terraform code remains largely the same for deploying Cert-Manager and creating a ClusterIssuer in an AKS environment.

Step 3: Setting Up Providers and Backend

Before deploying Cert-Manager, configure your Terraform providers and backend. This configuration is crucial for managing the state of your resources and interacting with the cloud services.

For Google Cloud (GCP):

terraform {
  backend "gcs" {
    bucket      = "your-bucket-name"
    prefix      = "terraform/state"
    credentials = "path/to/credentials.json"
  }

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 4.52.0"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "= 2.17.0"
    }
    helm = {
      source  = "hashicorp/helm"
      version = "= 2.8.0"
    }
  }
}

provider "google" {
  project     = var.PROJECT_ID
  region      = var.REGION
  credentials = var.GCP_CRED
}

provider "google-beta" {
  project     = var.PROJECT_ID
  region      = var.REGION
  credentials = var.GCP_CRED
}

provider "kubernetes" {
  config_path = "~/.kube/config"
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}
Enter fullscreen mode Exit fullscreen mode

Conclusion

With Cert-Manager now set up in your Amazon EKS and Azure AKS clusters, you have automated the management of TLS certificates, ensuring secure communications within your Kubernetes environments. The power of Terraform allows you to replicate this setup across different environments and cloud providers, maintaining consistency and efficiency in your infrastructure management.

Image description

Top comments (0)