Skip to content

Cert Manager

Learn how and why deployKF uses cert-manager. Learn how to integrate your existing cert-manager with deployKF and Kubeflow.


What is cert-manager?

Cert-Manager is a widely-used Kubernetes operator that declaratively manages TLS certificates using Kubernetes resources.

The core resource of cert-manager is the Certificate, which is a Kubernetes custom resource that specifies the details of a TLS certificate (e.g. domain name). Each Certificate references an Issuer (or ClusterIssuer) which tells cert-manager how to provision the certificate (e.g. using Let's Encrypt or self-signing). Cert-Manager can store provisioned certificates in Kubernetes Secrets so they can be used by Pods, and will automatically renew the certificate when it is about to expire.

What is trust-manager?

Trust-Manager is a Kubernetes operator that declaratively manages trust bundles using Kubernetes resources. deployKF uses trust-manager when self-signed certificates are configured (the default) because it allows us to distribute the root CA certificate (via our root CA Bundle) to all services in the platform.


How does deployKF use cert-manager?

deployKF uses cert-manager to provision TLS certificates for the Istio Ingress Gateway. Furthermore, many tools in the platform use cert-manager to provision TLS certificates for internal webhooks and APIs.

See the Expose Gateway and Configure TLS guide for more details.


Can I use my existing cert-manager?

Yes.

If you want to bring your own cert-manager deployment, you may set the deploykf_dependencies.cert_manager.enabled value to false to disable the deployKF-managed one:

deploykf_dependencies:
  cert_manager:
    enabled: false

When you do this, the deploykf_dependencies.cert_manager.clusterIssuer value still selects the ClusterIssuer (which must be provisioned by you) that is used to generate certificates for the Istio Gateway:

deploykf_dependencies:
  cert_manager:
    enabled: false

    clusterIssuer:
      ## NOTE: when `cert_manager.enabled` is false, 
      ##       all other `cert_manager` values have NO effect
      issuerName: my-cluster-issuer

Last update: 2024-03-14
Created: 2024-01-16