Skip to main content

cert-manager

Install cert-manager and set up certificate issuers for Services

About cert-manager

cert-manager is a Cloud-native, X.509 certificate management controller for Kubernetes, capable of creating and obtaining TLS certificates from both public and private issuers.

CoreWeave's cert-manager Chart includes a cert-issuers subchart, which can be used to create cert-manager Issuers and ClusterIssuers once cert-manager has been deployed.

Important

Because cert-issuers requires cert-manager to have already been deployed and available, cert-issuers is disabled by default to prevent failed deployments. When enabled, the subchart creates a self-signed ClusterIssuer, and Let's Encrypt ClusterIssuers for both production and staging. These can be overridden with your desired Issuer type.

Usage

LetsEncrypt ClusterIssuer and HTTP01 Challenges

The ClusterIssuers bundled via cert-issuer are configured use an HTTP01 Ingress Solver with cert-manager.

When an ACME Certificate is requested, cert-manager creates a Custom Resource called Order to initiate and track the request. Order then creates multiple Custom Resources called Challenge to validate that the requester is actually the owner of the requested domain.

HTTP01 challenges accomplish this by creating and presenting a key on a publicly accessible and temporary Web server via a temporary Ingress. The ACME CA Server then retrieves the key as part of validating your ownership of the domain. Once all challenges have completed successfully, the requested certificate is provided to cert-manager, which then automatically configures your Ingress to use the key.

Info

The bundled LetsEncrypt ClusterIssuer uses the HTTP01 challenge type, and therefore does not support wildcard certificates.

The CoreWeave cert-manager Chart is configured to provide the best possible experience to CoreWeave users, and can be deployed as-is. For all potential configuration options, see the upstream cert-manager Chart.

Example Chart

cert-manager.yaml
cert-issuers:

  enabled: false

  clusterIssuers:

    - name: letsencrypt-prod

      annotations: {}

      labels: {}

      spec:

        acme:

          server: https://acme-v02.api.letsencrypt.org/directory

          privateKeySecretRef:

            name: letsencrypt-prod-account-key

          solvers:

            - http01:

                ingress: {}

    - name: letsencrypt-staging

      annotations: {}

      labels: {}

      spec:

        acme:

          server: https://acme-staging-v02.api.letsencrypt.org/directory

          privateKeySecretRef:

            name: letsencrypt-staging-account-key

          solvers:

            - http01:

                ingress: {}

    - name: selfsigned-cluster-issuer

      spec:

        selfSigned: {}

  issuers: []



cert-manager:

  global:

    podSecurityPolicy:

      enabled: false

  crds:

    enabled: true

    keep: true

Learn more

For more information on cert-manager usage, see:

Last updated on