cert-manager
Automated TLS certificate management for Kubernetes.
cert-manager is the de-facto standard Kubernetes controller for managing X.509 certificates. It automates the issuance and renewal of certificates from various sources including Let's Encrypt, HashiCorp Vault, and internal CAs. It is needed in this cluster to provision TLS certificates for all HTTPS ingress routes and to serve internal PKI needs (e.g. webhook certificates for operators that rely on it, such as otel-operator and kubevela).
Alternatives considered
Self Hosted
| Tool | Open Source | Full Features | Notes |
|---|---|---|---|
| Vault PKI | Yes | Yes | Heavy-weight; cert-manager can also use Vault as a backend |
| step-ca | Yes | Yes | Lightweight ACME CA; works well with cert-manager |
Installation
Architecture
HelmRelease cert-manager in namespace cert-manager, chart version v1.20.1 from https://charts.jetstack.io. CRDs installed via crds.enabled: true in chart values. Gateway API integration enabled (enableGatewayAPI: true). Components: cert-manager controller, webhook, cainjector, and startupapicheck — all with matching resource limits.
Security
All three controllers (controller, webhook, cainjector) share the same resource profile. No custom securityContext is set at the HelmRelease level; the chart defaults apply. RBAC is cluster-wide (cert-manager requires cluster-level access to watch Ingress, Gateway, and CertificateRequest resources).
Updates
Managed by Renovate. Chart version is semver-pinned (v1.20.1); no digest pinning.
Administration
Usage
Operators create Certificate, ClusterIssuer, and Issuer resources to request certificates. HTTPRoutes and Ingress objects can reference cert-manager-managed secrets for TLS termination. Other controllers (otel-operator, kubevela) use cert-manager for their admission webhook certificates via admissionWebhooks.certManager.enabled: true.
Cluster-specific deviations from the above live in the per-cluster README — see k8s/infrastructure/talos/controllers/cert-manager/README.md.
Cluster Deployment
- Talos
- Edge
cert-manager — Talos cluster
Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/platform/cert-manager.mdx.
Deviations from defaults
Defaults live in docusaurus/docs/platform/cert-manager.mdx — document anything this cluster does differently here, with a one-line reason.
- HelmRelease:
cert-manager@v1.20.2 - HelmRepo:
cert-manager(https://charts.jetstack.io)
Rendered manifests (kustomize build)
apiVersion: v1
data:
values.yaml: |
resources: &resources
limits:
memory: 200Mi
requests:
cpu: 10m
memory: 100Mi
webhook:
resources: *resources
cainjector:
resources: *resources
startupapicheck:
resources: *resources
config:
apiVersion: controller.config.cert-manager.io/v1alpha1
kind: ControllerConfiguration
enableGatewayAPI: true
kind: ConfigMap
metadata:
name: cert-manager-values-g2k8bg2g7m
namespace: cert-manager
- HelmRelease:
cert-manager@v1.20.2 - HelmRepo:
cert-manager(https://charts.jetstack.io)
Rendered manifests (kustomize build)
apiVersion: v1
data:
values.yaml: |
resources: &resources
limits:
memory: 100Mi
requests:
cpu: 10m
memory: 100Mi
webhook:
resources: *resources
cainjector:
resources: *resources
startupapicheck:
resources: *resources
config:
apiVersion: controller.config.cert-manager.io/v1alpha1
kind: ControllerConfiguration
enableGatewayAPI: true
kind: ConfigMap
metadata:
name: cert-manager-values-b6kt9bkfbd
namespace: cert-manager