cert-manager

cert-manager provides a Kubernetes operator for automating management of X.509 certificates originally developed by Jetstack.

Objects

Issuer

Issuers define sources from which certificates can be obtained. There are a number of types:

  • selfSigned specifies a self-signed CA. The self-signed CA certificate can be generated.
  • acme specifies an ACME-compatible endpoint and a solver configuration for the ACME challenge.
  • ca specifies a secret containing a certificate from which issued certificates will be chained.
  • vault specifies a HashiCorp Vault (Private) CA
  • venafi allows using Venafi Cloud as a CA.

ClusterIssuer

The Issuer object is namespace-scoped. To issue certificates across all namespaces, use the ClusterIssuer instead.

Certificate

Certificates define desired X.509 certificates which should be automatically renewed.

CertificateRequest

CertificateRequests are issued by cert-manager in response to the creation, edit or approaching expiration of a Certificate. They contain the X.509 certificate request that will be sent to the issuer. Typically these are to be consumed and manipulated by machines, not humans.

Order

Orders are used to track the lifecycle of an ACME certificate "order". One Order will be created for each CertificateRequest referencing an ACME issuer.

Challenge

Challenges are used to represent ACME challenges required for the authorisation process confirming ownership of a given DNS name.

ingress-shim

The Ingress Shim component automates creation of Certificates for Ingress resources via an annotation specifying the Issuer to use to obtain certificates.


Backlinks