cert-manager provides a Kubernetes operator for automating management of X.509 certificates originally developed by Jetstack.
Issuers define sources from which certificates can be obtained. There are a number of types:
selfSignedspecifies a self-signed CA. The self-signed CA certificate can be generated.
acmespecifies an ACME-compatible endpoint and a solver configuration for the ACME challenge.
caspecifies a secret containing a certificate from which issued certificates will be chained.
vaultspecifies a HashiCorp Vault (Private) CA
venafiallows using Venafi Cloud as a CA.
The Issuer object is namespace-scoped. To issue certificates across all namespaces, use the ClusterIssuer instead.
Certificates define desired X.509 certificates which should be automatically renewed.
CertificateRequests are issued by
cert-manager in response to the creation, edit or approaching expiration of a Certificate. They contain the X.509 certificate request that will be sent to the issuer. Typically these are to be consumed and manipulated by machines, not humans.
Orders are used to track the lifecycle of an ACME certificate "order". One Order will be created for each CertificateRequest referencing an ACME issuer.
Challenges are used to represent ACME challenges required for the authorisation process confirming ownership of a given DNS name.
The Ingress Shim component automates creation of Certificates for Ingress resources via an annotation specifying the Issuer to use to obtain certificates.