Automating SSL Certificates in Kubernetes with Let’s Encrypt and ClusterIssuer Helm Charts

Now that we have a working k8s cluster with observability via Datadog, as we saw in Opting for Dual State in Terraform OCI OKE, we'll deploy a simple Hello World app that uses Let's Encrypt to automatically generate SSL certificates for our Kubernetes services.

Add Cluster SSL Issuer to the infra layer

Let's start by adding the cluster manager and issuer to our Terraform deployment:

resource "helm_release" "cert_manager" {
  name       = "cert-manager"
  namespace  = "cert-manager"
  repository = "https://charts.jetstack.io"
  chart      = "cert-manager"
  #version          = "v1.14.4"
  create_namespace = true

  set {
    name  = "installCRDs"
    value = "true"
  }
}

resource "helm_release" "cluster_issuer" {
  name       = "cluster-issuer"
  repository = "https://example.com/helm/charts"
  chart      = "cluster-issuer"
  namespace  = "cert-manager"
  depends_on = [helm_release.cert_manager]
}

Deploy an HTTPS Hello World App

With the help of the issuer we added in the previous step, we can deploy a Hello World app. We'll use Terraform's HTTP echo server to demonstrate this:

resource "helm_release" "hello_world" {
  name       = "hello-world"
  repository = "https://example.com/helm/charts"
  chart      = "hello-world"
  namespace  = var.kubernetes_namespace_apps
  version    = "0.1.2" # Specify the chart version, ensure this matches your Chart.yaml

  values = [
    file("../helm/hello-world/values.yaml")
  ]
  # Add any other specific values you want to override here using 'set' blocks
  # or by providing a values file.
  depends_on = [
    kubernetes_namespace.apps_namespace
  ]
}

Helm Chart for the Hello World App

In the Helm chart for the Hello World app, you can see attributes that are used to configure the app to use the cluster issuer we added in the previous step:

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-example
    nginx.ingress.kubernetes.io/rewrite-target: /
  hosts:
    - host: example.com
      paths:
        - path: /hello
          pathType: Prefix
  tls:
    - secretName: tls-secret-hello-world
      hosts:
        - example.com

Pass the cluster issuer name to the cert-manager.io/cluster-issuer annotation and specify the secret name that will hold the TLS certificate.

Source Code

You can find the complete source code for this example in the GitLab Helm Examples Repository.

For Terraform, check out the helm_releases.tf configuration file.

18 February 2026