cert-manager¶
cert-manager automates the issuance and renewal of TLS certificates within the cluster. It watches for Certificate resources and Ingress annotations, then provisions certificates from the configured cluster issuers.
Details¶
| Field | Value |
|---|---|
| Chart | cert-manager |
| Repository | https://charts.jetstack.io |
| Version | v1.20.0 |
| Namespace | cert-manager (CreateNamespace=true) |
| Sync Wave | -3 |
Key Configuration¶
- CRDs: Installed via the Helm chart (
crds.enabled: true). - Cluster Issuer Chain: A three-stage chain bootstraps a private CA for the cluster:
- selfsigned-issuer -- a
ClusterIssuerof typeSelfSigned, used only to sign the root CA certificate. - homelab-ca -- a
Certificateresource markedisCA: true, using ECDSA P-256. Signed byselfsigned-issuerand stored in the secrethomelab-ca-secret. - homelab-ca-issuer -- a
ClusterIssuerof typeCAthat referenceshomelab-ca-secret. This is the issuer used by all application ingresses.
- selfsigned-issuer -- a
Cluster Integration¶
Every Ingress resource in the cluster annotates with:
cert-manager.io/cluster-issuer: homelab-ca-issuer
This triggers cert-manager to automatically provision a TLS certificate for the host defined in the Ingress. Because the CA is internal, browsers on the LAN must trust the homelab-ca root certificate to avoid warnings.
cert-manager deploys at sync wave -3 so that the issuer chain is ready before any ingress controller or application attempts to request a certificate.