Cert-manager architecture and notes

The cert-manager service is an installation of cert-manager from its Helm chart repository. It creates TLS certificates via Let’s Encrypt and automatically renews them.

This application is only deployed on clusters managed by SQuaRE on Google Cloud Platform. If a site uses some other process to manage its certificates, it is the responsibility of that site’s administrative team to acquire and deploy those certificates.

cert-manager creates a cluster issuer that uses the DNS solver and Route 53 for DNS by default. Set config.createIssuer to false for environments where cert-manager should be installed but not use a Route 53 cluster issuer. For more information, see Hostnames and TLS.

See also

cert-manager documentation for Route 53.

Using cert-manager

To configure an Ingress to use certificates issued by it, add a tls configuration to the ingress and the annotation:

cert-manager.io/cluster-issuer: "letsencrypt-dns"

This should be done on one and only one Ingress for an environment using cert-manager. The RSP conventionally uses the squareone application.