baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa8e2bd8c716e4e6e3d694aa51a2f9a20bbd4f27
buun-stack/cert-manager
History

README.md

cert-manager Module

cert-manager is a Kubernetes add-on that automates the management and issuance of TLS certificates from various sources. It provides a common API for certificate issuers and ensures certificates are valid and up to date.

Features

  • Automatic Certificate Renewal: Automatically renews certificates before they expire
  • Multiple Issuers: Supports Let's Encrypt, HashiCorp Vault, Venafi, self-signed, and more
  • Kubernetes Native: Uses Custom Resource Definitions (CRDs) for certificate management
  • Webhook Integration: Provides admission webhooks for validating and mutating certificate resources

Prerequisites

  • Kubernetes cluster (installed via just k8s::install)
  • kubectl configured with cluster admin permissions

Installation

Basic Installation

# Install cert-manager with default settings
just cert-manager::install

Environment Variables

Key environment variables (set via .env.local or environment):

CERT_MANAGER_NAMESPACE=cert-manager       # Namespace for cert-manager
CERT_MANAGER_CHART_VERSION=v1.19.1        # cert-manager Helm chart version

Usage

Check Status

# View status of cert-manager components
just cert-manager::status

Create a Self-Signed Issuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
    name: selfsigned-issuer
spec:
    selfSigned: {}

Apply the resource:

kubectl apply -f issuer.yaml

Create a Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: example-cert
    namespace: default
spec:
    secretName: example-cert-tls
    issuerRef:
        name: selfsigned-issuer
        kind: ClusterIssuer
    dnsNames:
        - example.com
        - www.example.com

Apply the resource:

kubectl apply -f certificate.yaml

View Certificates

# List all certificates
kubectl get certificates -A

# Describe a specific certificate
kubectl describe certificate example-cert -n default

Components

cert-manager installs three main components:

  1. cert-manager: Main controller managing Certificate resources
  2. cert-manager-webhook: Admission webhook for validating and mutating cert-manager resources
  3. cert-manager-cainjector: Injects CA bundles into webhooks and API services

Used By

cert-manager is required by:

  • KServe: For webhook TLS certificates

Upgrade

# Upgrade cert-manager to a new version
just cert-manager::upgrade

Uninstall

# Remove cert-manager
just cert-manager::uninstall

This will:

  • Uninstall cert-manager Helm release
  • Delete cert-manager CRDs
  • Delete namespace

Warning: Uninstalling will remove all Certificate, Issuer, and ClusterIssuer resources.

Troubleshooting

Check Controller Logs

kubectl logs -n cert-manager -l app=cert-manager

Check Webhook Logs

kubectl logs -n cert-manager -l app=webhook

Verify CRDs

kubectl get crd | grep cert-manager.io

Check Certificate Status

kubectl get certificate -A
kubectl describe certificate <name> -n <namespace>

Common issues:

  • Certificate not ready: Check issuer configuration and logs
  • Webhook errors: Ensure cert-manager webhook is running and healthy
  • DNS validation failures: For ACME issuers, ensure DNS records are correct

References