Skip to main content
Chart referenceDescription
coreweave/cert-managerCoreWeave’s Helm chart for deploying cert-manager on CKS clusters

About cert-manager

cert-manager is an open-source tool that automates the management and issuance of TLS certificates in Kubernetes. CoreWeave provides a cert-manager Helm chart so you can deploy it on CKS clusters with sensible defaults. The chart supports Let’s Encrypt and CoreWeave’s DNS-based ACME solver. This page is for cluster operators who need to provision TLS certificates for workloads that run on CKS. The CoreWeave cert-manager chart includes a cert-issuers subchart that creates cert-manager Issuers and ClusterIssuers after you deploy cert-manager.
Because cert-issuers depends on an existing cert-manager deployment, cert-issuers is disabled by default to prevent failed deployments. When you enable it, the subchart creates a self-signed ClusterIssuer and Let’s Encrypt ClusterIssuers for both production and staging. You can override these with your preferred Issuer type.

Usage

The CoreWeave cert-manager chart provides defaults that work for most CoreWeave users, and you can deploy it as-is. For all configuration options, see the upstream cert-manager chart.

ClusterIssuer for ACME and DNS01 challenges

The ClusterIssuers bundled with cert-issuers use a DNS01 solver with cert-manager, backed by a CoreWeave webhook at acme.coreweave.com. When you request an ACME Certificate, cert-manager creates a Custom Resource called Order to initiate and track the request. Order then creates multiple Custom Resources called Challenge to validate that the requester owns the requested domain. DNS01 challenges provision a TXT record in the DNS zone for the requested domain. The ACME CA server resolves that record to validate your ownership of the domain. The CoreWeave webhook solver automates this step for domains that CoreWeave manages, so you don’t need a public-facing Ingress or a temporary web server. After all challenges complete successfully, cert-manager receives the requested certificate and configures your Ingress to use the key.
Because the bundled Let’s Encrypt ClusterIssuer uses the DNS01 challenge type, it supports wildcard certificates in addition to single-host certificates.

Example chart

The following example shows a complete cert-manager.yaml values file. It enables the bundled cert-issuers subchart with Let’s Encrypt production and staging ClusterIssuers and a self-signed ClusterIssuer. It also shows the cert-manager values CoreWeave recommends for CKS clusters. Use it as a starting point for your configuration.
cert-manager.yaml
cert-issuers:
  enabled: false
  clusterIssuers:
    - name: letsencrypt-prod
      annotations: {}
      labels: {}
      spec:
        acme:
          server: https://acme-v02.api.letsencrypt.org/directory
          privateKeySecretRef:
            name: letsencrypt-prod-account-key
          solvers:
            - dns01:
                webhook:
                  groupName: acme.coreweave.com
                  solverName: dns01
    - name: letsencrypt-staging
      annotations: {}
      labels: {}
      spec:
        acme:
          server: https://acme-staging-v02.api.letsencrypt.org/directory
          privateKeySecretRef:
            name: letsencrypt-staging-account-key
          solvers:
            - dns01:
                webhook:
                  groupName: acme.coreweave.com
                  solverName: dns01
    - name: selfsigned-cluster-issuer
      spec:
        selfSigned: {}
  issuers: []

cert-manager:
  global:
    podSecurityPolicy:
      enabled: false
  crds:
    enabled: true
    keep: true

Learn more

For more information about cert-manager usage, see:
Last modified on June 10, 2026