> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cert-manager

> Install cert-manager and set up certificate issuers for Services

| Chart reference          | Description                                                       |
| ------------------------ | ----------------------------------------------------------------- |
| `coreweave/cert-manager` | CoreWeave's Helm chart for deploying cert-manager on CKS clusters |

## About cert-manager

[cert-manager](https://cert-manager.io/) is an open-source tool that automates the management and issuance of TLS certificates in Kubernetes. CoreWeave provides a `cert-manager` Helm chart so you can deploy it on CKS clusters with sensible defaults. The chart supports Let's Encrypt and CoreWeave's DNS-based ACME solver. This page is for cluster operators who need to provision TLS certificates for workloads that run on CKS.

The CoreWeave cert-manager chart includes a `cert-issuers` subchart that creates cert-manager [Issuers and ClusterIssuers](https://cert-manager.io/docs/concepts/issuer/) after you deploy cert-manager.

<Note>
  Because `cert-issuers` depends on an existing `cert-manager` deployment, `cert-issuers` is disabled by default to prevent failed deployments. When you enable it, the subchart creates a self-signed `ClusterIssuer` and [Let's Encrypt](https://letsencrypt.org/) `ClusterIssuers` for both production and staging. You can override these with your preferred `Issuer` type.
</Note>

## Usage

The CoreWeave `cert-manager` chart provides defaults that work for most CoreWeave users, and you can deploy it as-is. For all configuration options, see [the upstream cert-manager chart](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).

### ClusterIssuer for ACME and DNS01 challenges

The `ClusterIssuers` bundled with `cert-issuers` use a [DNS01 solver with cert-manager](https://cert-manager.io/docs/configuration/acme/dns01/), backed by a CoreWeave webhook at `acme.coreweave.com`.

When you request an ACME Certificate, `cert-manager` creates a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) called `Order` to initiate and track the request. `Order` then creates multiple Custom Resources called `Challenge` to validate that the requester owns the requested domain.

`DNS01` challenges provision a `TXT` record in the DNS zone for the requested domain. The ACME CA server resolves that record to validate your ownership of the domain. The CoreWeave webhook solver automates this step for domains that CoreWeave manages, so you don't need a public-facing Ingress or a temporary web server. After all challenges complete successfully, `cert-manager` receives the requested certificate and configures your Ingress to use the key.

<Info>
  Because the bundled Let's Encrypt `ClusterIssuer` uses the `DNS01` challenge type, it supports wildcard certificates in addition to single-host certificates.
</Info>

## Example chart

The following example shows a complete `cert-manager.yaml` values file. It enables the bundled `cert-issuers` subchart with Let's Encrypt production and staging `ClusterIssuers` and a self-signed `ClusterIssuer`. It also shows the cert-manager values CoreWeave recommends for CKS clusters. Use it as a starting point for your configuration.

```yaml title="cert-manager.yaml" theme={"system"}
cert-issuers:
  enabled: false
  clusterIssuers:
    - name: letsencrypt-prod
      annotations: {}
      labels: {}
      spec:
        acme:
          server: https://acme-v02.api.letsencrypt.org/directory
          privateKeySecretRef:
            name: letsencrypt-prod-account-key
          solvers:
            - dns01:
                webhook:
                  groupName: acme.coreweave.com
                  solverName: dns01
    - name: letsencrypt-staging
      annotations: {}
      labels: {}
      spec:
        acme:
          server: https://acme-staging-v02.api.letsencrypt.org/directory
          privateKeySecretRef:
            name: letsencrypt-staging-account-key
          solvers:
            - dns01:
                webhook:
                  groupName: acme.coreweave.com
                  solverName: dns01
    - name: selfsigned-cluster-issuer
      spec:
        selfSigned: {}
  issuers: []

cert-manager:
  global:
    podSecurityPolicy:
      enabled: false
  crds:
    enabled: true
    keep: true
```

## Learn more

For more information about cert-manager usage, see:

* [cert-manager Issuer configuration](https://cert-manager.io/docs/configuration/)