Cert Manager Component
Automated TLS certificate management for Kubernetes. Supports Let's Encrypt, ZeroSSL, self-signed, and custom CA issuers with automatic renewal.
Architecture
Cert Manager - Certificate controller
Issuers - Certificate authorities (ACME, self-signed)
Certificates - TLS cert resources
Secrets - Auto-created K8s TLS secrets
Quick Reference
| Attribute |
Example |
Default |
Effect |
namespace REQ |
cert-manager |
- |
Kubernetes namespace |
issuer_type |
letsencrypt |
letsencrypt |
letsencrypt, zerossl, selfsigned, generic |
email |
admin@example.com |
- |
ACME account email |
dns_names |
*.example.com |
- |
Certificate DNS names |
solver_type |
http01 |
http01 |
ACME challenge type |
secret_name |
tls-secret |
- |
TLS secret name |
Link Variables
| Variable |
Link Type |
Purpose |
__prometheus |
prometheus-cert_manager |
Certificate expiry metrics |
__ingress |
gateway-cert_manager |
HTTP01 solver ingress |
__external_dns |
cert_manager-external_dns |
DNS01 solver automation |
Issuer Types
| Type |
Use Case |
File Generated |
| letsencrypt |
Production public certs (free) |
letsencrypt-issuer.yaml |
| zerossl |
Alternative ACME CA |
zerossl-issuer.yaml |
| selfsigned |
Development/internal |
selfsigned-issuer.yaml |
| generic_acme |
Custom ACME server |
generic_acme-issuer.yaml |
| generic_non_acme |
Venafi, Vault, custom CA |
generic_non_acme-issuer.yaml |
Generated Files
| File |
Condition |
Contains |
| helm/helm-values.yaml |
Always |
Cert-manager Helm config |
| cert-manager.crds.yaml |
Always |
CRD definitions |
| certificate.yaml |
Always |
Certificate resource |
| issuer/*.yaml |
Per issuer_type |
ClusterIssuer/Issuer |
Ports
| Port |
Purpose |
Protocol |
| 9402 |
Metrics endpoint |
HTTP |
| 10250 |
Webhook |
HTTPS |
ACME Challenge Solvers
HTTP01:
- Requires ingress controller
- Verifies via /.well-known/acme-challenge/
DNS01:
- Works with external-dns
- Supports wildcard certificates
- Requires DNS provider credentials
Technical Info
Chart Version: 1.15.0
Ports: 9402 (metrics), 10250 (webhook)
Extensions: local_extensions.password_hash