GoCD on Kubernetes using Terraform: Configuring SSL using Let's Encrypt

This blog is a continuation of GoCD on Kubernetes using Terraform: Setting up GoCD.

Configure cert manager to issue certificate

We got GoCD up and running in public ip. Now we need to make the communication secure using https. To setup https, we need to have a domain name.

Get a domain name with any of the registrars and register in Cloud DNS console.cloud.google.com/net-services/dns/z.. -> Add record set(address record to map your domain name to the public ip we created).

We will install cert-manager in cert-manager namespace. First we need to create a namespace called cert-manager.

resource "kubernetes_namespace" "cert_namespace" {
  metadata {
    name = "cert-manager"
  }
  depends_on = [google_container_node_pool.ci_nodes]
}

Install cert manager to issue certificate. Use the latest stable version of cert manager.

data "helm_repository" "jetstack" {
  name = "jetstack"
  url = "https://charts.jetstack.io"
}

resource "helm_release" "cert_manager" {
  name = "cert-manager"
  namespace = "cert-manager"
  chart = "jetstack/cert-manager"
  version = "v0.13.1"
}

Configure gocd to use the custom domain.

resource "helm_release" "gocd" {
  name = "gocd"
  chart = "stable/gocd"
  namespace = kubernetes_namespace.gocd_namespace.metadata.0.name
  depends_on = [kubernetes_namespace.gocd_namespace]

  values = [
    <<EOF
    server:
      ingress:
        enabled: true
        hosts:
          - <domain_name>
        annotations:
            kubernetes.io/ingress.class: nginx
            cert-manager.io/issuer: letsencrypt-prod
        tls:
          - secretName: gocd-secret
            hosts:
              - <domain_name>
    EOF
  ]
}

Replace with the domain you had registered.

terraform apply
Setup Let's Encrypt issuer

There is one manual step we need to do, using kubectl command. Since we need Let's Encrypt issuer, we need to download the yaml file located in cert-manager.io/docs/tutorials/acme/example..

Save the above downloaded file in the name cert-issuer.yaml for this example. Modify the email value to valid one. Then deploy the yaml file.

kubectl apply -f cert-issuer.yaml -n gocd

It might take sometime to issue the certificate. Once the certificate is issued, you can visit your domain to see if there is lock symbol.

If you had got working until now, great stuff.

Continue reading Configuring OAuth with Github.

Credits to Selvakumar Natesan for directions.