You are browsing a read-only backup copy of Wikitech. The primary site can be found at


From Wikitech-static
< Kubernetes
Revision as of 17:41, 6 January 2022 by imported>JMeybohm
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


cert-manager adds (besides others) a Certificate CRD to the Kubernetes clusters which automates obtaining and renewing of TLS certificates. A so called Issuer component, the cfssl-issuer is used as a bridge to our PKI which does the actual signing.


All components are installed to clusters using the install_cert_manager toggle in helmfile.d/admin_ng/helmfile.yaml


While cert-manager is deployed with default config, cluster operators need to provide at least one CFSSLClusterIssuer/Issuer object that defines URL, credentials and configuration of the PKI server as well as which label (CFSSL wording for intermediate CA) and signing profile/policy to use.

This is all taken care of by the cfssl-issuer helm-chart


A Grafana dashboard can be found at: