Skip to content

helm chart cert-manager integration

Since there is provision for creating an ingress object in helm chart. We can utilize the ingress definition with annotations to generate certificates on the fly for the helm chart to be deployed. For the services and ingress section in the values of the helm charts in values.yaml file. The service has been converted to expose it to ClusterIP instead of LoadBalancer to access it via the ingress resource.

The service implemented by helm would look like

---
# Source: roshanapp/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: RELEASE-NAME-roshanapp
  labels:
    helm.sh/chart: roshanapp-0.5.0
    app.kubernetes.io/name: roshanapp
    app.kubernetes.io/instance: RELEASE-NAME
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: roshanapp
    app.kubernetes.io/instance: RELEASE-NAME

The ingress resource implemented by helm would be

---
# Source: roshanapp/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: RELEASE-NAME-roshanapp
  labels:
    helm.sh/chart: roshanapp-0.5.0
    app.kubernetes.io/name: roshanapp
    app.kubernetes.io/instance: RELEASE-NAME
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
    cert-manager.io/cluster-issuer: ca-issuer
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - hosts:
        - "ne.logpoint.com.np"
      secretName: chart-example-tls
  rules:
    - host: "ne.logpoint.com.np"
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: RELEASE-NAME-roshanapp
                port:
                  number: 80

The definition of ingress resource with annotations on the values.yaml file looks like

ingress:
  enabled: true
  className: ""
  annotations: 
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: ca-issuer
  hosts:
    - host: ne.logpoint.com.np
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - secretName: chart-example-tls
      hosts:
        - ne.logpoint.com.np

Similar to the ingress definition the annotation cert-manager.io/cluster-issuer: ca-issuer would use the ca-issuer as the PKI to generate certificates using subject alternative name (SAN) as ne.logpoint.com.np on tls hosts section. By default the ingress resource is disabled on helm chart we need to change the value from enabled: false to enabled:true for ingress object to work.