Create and configure certificates

We create and maintain certificates in our cluster via cert-manager. The certificate secrets are replicated across different namespaces using reflector.

Requirements

If the dns zone is managed by AWS:

• An IAM user with permissions to edit the desired hosted zone.

If the dns zone is managed by Cloudflare:

• An API Token with permissions as defined in this official documentation.

---

Resources to be created

• ClusterIssuer
• Wildcard Certificates
• Certificate secrets

---

Install cert-manager and Reflector via Helm

We will deploy the tools in kube-system.

Install cert-manager

helm repo add jetstack https://charts.jetstack.io --force-update

helm upgrade --install \
  cert-manager jetstack/cert-manager \
  --namespace kube-system \.  change namesapce
  --version v1.15.3 \
  --set crds.enabled=true \

Install Reflector

helm repo add emberstack https://emberstack.github.io/helm-charts --force-update

helm upgrade --install \
  reflector emberstack/reflector \
  --namespace kube-system \ change namesapce
  --version v7.1.288 

Create the Certificate via OpenTofu

Certificates will be created using OpenTofu.

cd <path_to_folder>

tofu init -var-file dev.tfvars 
tofu plan -var-file dev.tfvars 
tofu apply -var-file dev.tfvars

---

References

• cert-manager Documentation
• Synchronizing Secrets FAQ