Skip to content
/ package-for-cert-manager Public

Kubernetes-native package for cert-manager, a cloud-native solution to automatically provision and manage X.509 certificates.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kadras-io/package-for-cert-manager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

87 Commits
.github
.github
 
 
docs
docs
 
 
package
package
 
 
test
test
 
 
.gitignore
.gitignore
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
LICENSE
LICENSE
 
 
MAINTAINERS.md
MAINTAINERS.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 

Repository files navigation

cert-manager

Test Workflow Release Workflow The SLSA Level 3 badge The Apache 2.0 license badge Follow us on Bluesky

A Carvel package for cert-manager, a cloud-native solution to automatically provision and manage X.509 certificates in Kubernetes.

🚀  Getting Started

Prerequisites

  • Kubernetes 1.31+

  • Carvel kctrl CLI.

  • Carvel kapp-controller deployed in your Kubernetes cluster. You can install it with Carvel kapp (recommended choice) or kubectl.

    kapp deploy -a kapp-controller -y \
  -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml

Installation

Add the Kadras package repository to your Kubernetes cluster:

kctrl package repository add -r kadras-packages \
  --url ghcr.io/kadras-io/kadras-packages \
  -n kadras-system --create-namespace
Installation without package repository The recommended way of installing the cert-manager package is via the Kadras package repository. If you prefer not using the repository, you can add the package definition directly using kapp or kubectl. 
kubectl create namespace kadras-system
kapp deploy -a cert-manager-package -n kadras-system -y \
  -f https://github.com/kadras-io/package-for-cert-manager/releases/latest/download/metadata.yml \
  -f https://github.com/kadras-io/package-for-cert-manager/releases/latest/download/package.yml

Install the cert-manager package:

kctrl package install -i cert-manager \
  -p cert-manager.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system

Note You can find the ${VERSION} value by retrieving the list of package versions available in the Kadras package repository installed on your cluster.

kctrl package available list -p cert-manager.packages.kadras.io -n kadras-system

Verify the installed packages and their status:

kctrl package installed list -n kadras-system

📙  Documentation

Documentation, tutorials and examples for this package are available in the docs folder. For documentation specific to cert-manager, check out cert-manager.io.

🎯  Configuration

The cert-manager package can be customized via a values.yml file.

letsencrypt:
  include: true
  production: true
  email: [email protected]

Reference the values.yml file from the kctrl command when installing or upgrading the package.

kctrl package install -i cert-manager \
  -p cert-manager.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system \
  --values-file values.yml

Values

The cert-manager package has the following configurable properties.

Configurable properties
Config Default Description
namespace cert-manager The namespace in which to deploy cert-manager.
policies.include false Whether to include the out-of-the-box Kyverno policies to validate and secure the package installation.

Settings for the corporate proxy.

Config Default Description
proxy.http_proxy "" The HTTPS proxy to use for network traffic.
proxy.https_proxy "" The HTTP proxy to use for network traffic.
proxy.no_proxy "" A comma-separated list of hostnames, IP addresses, or IP ranges in CIDR format that should not use the proxy.

Settings for the cert-manager controller.

Config Default Description
controller.loglevel 2 Number of the log level verbosity.
controller.replicas 1 The number of replicas. In order to enable high availability, 2 replicas are recommended.
controller.dns01.recursive_nameservers [] Each nameserver can be either the IP address and port of a standard recursive DNS server, or the endpoint to an RFC 8484 DNS over HTTPS endpoint.
controller.dns01.recursive_nameservers_only false When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers.

Settings for the cert-manager cainjector.

Config Default Description
cainjector.loglevel 2 Number of the log level verbosity.
cainjector.replicas 1 The number of replicas. In order to enable high availability, 2 replicas are recommended.

Settings for the cert-manager webhook.

Config Default Description
webhook.loglevel 2 Number of the log level verbosity.
webhook.replicas 1 The number of replicas. In order to enable high availability, at least 3 replicas are recommended.
webhook.host_network false Whether to run the webhook in the host network so that it can be reached by the cert-manager controller in environments like AWS EKS. More information: https://cert-manager.io/docs/installation/compatibility.
webhook.secure_port 6443 The port where the webhook is exposed. The default port needs changing in environments like AWS EKS and AWS Fargate. More information: https://cert-manager.io/docs/installation/compatibility.

Leader election configuration for the cert-manager controller and cainjector Deployments.

Config Default Description
leader_election.namespace kube-system Namespace used to perform leader election. The default namespace needs changing in environments like GKE. More information: https://cert-manager.io/docs/installation/compatibility.

Issues configuration.

Config Default Description
private_pki.include true Whether to include a ClusterIssuer for a private PKI.
letsencrypt.include false Whether to include a ClusterIssuer for Let's Encrypt.
letsencrypt.production false Whether to use Let's Encrypt staging (recommended for non-production environments) or production.
letsencrypt.email "" The email address that Let's Encrypt will use to send info on expiring certificates or other issues.
letsencrypt.challenge.type http01 The type of challenge used by the ACME CA Server. Valid options: http01, dns01.
letsencrypt.challenge.secret.name "" Name of the Secret containing the credentials needed for the dns01 challenge.
letsencrypt.challenge.secret.key "" The key within the Secret that contains the credentials needed for the dns01 challenge.
letsencrypt.challenge.secret.namespace "" Namespace containing the Secret with the credentials needed for the dns01 challenge.
letsencrypt.challenge.dns_provider http01 The DNS provider to use for the ACME dns01 challenge. Valid options: cloudflare, digital_ocean.

🛡️  Security

The security process for reporting vulnerabilities is described in SECURITY.md.

🖊️  License

This project is licensed under the Apache License 2.0. See LICENSE for more information.

About

Kubernetes-native package for cert-manager, a cloud-native solution to automatically provision and manage X.509 certificates.

Topics

tls kubernetes security certificate-management cert-manager carvel kapp-controller kadras

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 30

v1.17.2 Latest
May 30, 2025
+ 29 releases

Packages

 
 
 

Languages