Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

Chart referenceDescription
coreweave/cert-managerCoreWeave’s Helm chart for deploying cert-manager on CKS clusters

About cert-manager

CoreWeave’s cert-manager Chart includes a cert-issuers subchart, which can be used to create cert-manager Issuers and ClusterIssuers once cert-manager has been deployed.
Because cert-issuers requires cert-manager to have already been deployed and available, cert-issuers is disabled by default to prevent failed deployments. When enabled, the subchart creates a self-signed ClusterIssuer, and Let’s Encrypt ClusterIssuers for both production and staging. These can be overridden with your desired Issuer type.

Usage

LetsEncrypt ClusterIssuer and DNS01 challenges

The ClusterIssuers bundled via cert-issuer are configured to use a DNS01 solver with cert-manager, backed by a CoreWeave webhook at acme.coreweave.com. When an ACME Certificate is requested, cert-manager creates a Custom Resource called Order to initiate and track the request. Order then creates multiple Custom Resources called Challenge to validate that the requester is actually the owner of the requested domain. DNS01 challenges accomplish this by provisioning a TXT record in the DNS zone for the requested domain. The ACME CA server resolves that record to validate your ownership of the domain. The CoreWeave webhook solver automates this step for domains managed by CoreWeave, so no public-facing Ingress or temporary web server is required. Once all challenges have completed successfully, the requested certificate is provided to cert-manager, which then configures your Ingress to use the key.
Because the bundled LetsEncrypt ClusterIssuer uses the DNS01 challenge type, it supports wildcard certificates in addition to single-host certificates.
The CoreWeave cert-manager Chart is configured to provide the best possible experience to CoreWeave users, and can be deployed as-is. For all potential configuration options, see the upstream cert-manager Chart.

Example Chart

cert-manager.yaml
cert-issuers:
  enabled: false
  clusterIssuers:
    - name: letsencrypt-prod
      annotations: {}
      labels: {}
      spec:
        acme:
          server: https://acme-v02.api.letsencrypt.org/directory
          privateKeySecretRef:
            name: letsencrypt-prod-account-key
          solvers:
            - dns01:
                webhook:
                  groupName: acme.coreweave.com
                  solverName: dns01
    - name: letsencrypt-staging
      annotations: {}
      labels: {}
      spec:
        acme:
          server: https://acme-staging-v02.api.letsencrypt.org/directory
          privateKeySecretRef:
            name: letsencrypt-staging-account-key
          solvers:
            - dns01:
                webhook:
                  groupName: acme.coreweave.com
                  solverName: dns01
    - name: selfsigned-cluster-issuer
      spec:
        selfSigned: {}
  issuers: []

cert-manager:
  global:
    podSecurityPolicy:
      enabled: false
  crds:
    enabled: true
    keep: true

Learn more

For more information on cert-manager usage, see:
Last modified on April 22, 2026