Cert-manager architecture and notes#

The cert-manager service is an installation of cert-manager from its Helm chart repository. It creates cluster-internal private TLS certificates for applications that need them (such as for admission webhooks). It may also create TLS certificates via Let’s Encrypt and automatically renew them if the environment uses Let’s Encrypt certificates.

cert-manager optionally creates a cluster issuer that uses the DNS solver and Route 53 for DNS. Set config.createIssuer to false for environments where cert-manager should be installed but not use a Route 53 cluster issuer.

For more information on the options for TLS certificate management, see Hostnames and TLS.

Using cert-manager#

To configure an Ingress to use certificates issued by it, add a tls configuration to the ingress and the annotation:

cert-manager.io/cluster-issuer: "letsencrypt-dns"

Typically, this should be done on one and only one Ingress for an environment using cert-manager. The RSP conventionally uses the squareone application. (There are some special exceptions that have their own ingresses or otherwise need valid CA-issued certificates, such as alert-stream-broker and sasquatch.)