Skip to content

Cert Manager

Learn how and why deployKF uses cert-manager. Learn how to integrate your existing cert-manager with deployKF and Kubeflow.

What is cert-manager?

Cert-Manager is a widely-used Kubernetes operator that declaratively manages TLS certificates using Kubernetes resources.

The core resource of cert-manager is the Certificate, which is a Kubernetes custom resource that specifies the details of a TLS certificate (e.g. domain name). Each Certificate references an Issuer (or ClusterIssuer) which tells cert-manager how to provision the certificate (e.g. using Let's Encrypt or self-signing). Cert-Manager can store provisioned certificates in Kubernetes Secrets so they can be used by Pods, and will automatically renew the certificate when it is about to expire.

What is trust-manager?

Trust-Manager is a Kubernetes operator that declaratively manages trust bundles using Kubernetes resources. deployKF uses trust-manager when self-signed certificates are configured (the default) because it allows us to distribute the root CA certificate (via our root CA Bundle) to all services in the platform.

How does deployKF use cert-manager?

deployKF uses cert-manager to provision TLS certificates for the Istio Ingress Gateway. Furthermore, many tools in the platform use cert-manager to provision TLS certificates for internal webhooks and APIs.

See the Configure TLS Certificates guide for more details.

Can I use my existing cert-manager?

Yes.

If you already have cert-manager deployed in your cluster, you may configure deployKF to use it instead of the embedded one.

Valid Certificates Required

If you disable the embedded cert-manager, the ClusterIssuer you configure MUST be able to provision valid certificates (not self-signed). Otherwise, deployKF will fail to start due to certificate validation errors.

This is not a problem when using the embedded cert-manager, as all components are automatically configured to trust the default self-signed root CA.

Step 1 - Disable Embedded Cert-Manager

Disable the embedded cert-manager by setting the deploykf_dependencies.cert_manager.enabled value to false:

deploykf_dependencies:
  cert_manager:
    enabled: false
Step 2 - Configure ClusterIssuer

When the embedded cert-manager is disabled, the deploykf_dependencies.cert_manager.clusterIssuer value still selects the ClusterIssuer to use (which must be provisioned by you).

For example, to use a ClusterIssuer named my-cluster-issuer, you would set the following values:

deploykf_dependencies:
  cert_manager:
    enabled: false

    clusterIssuer:
      ## NOTE: when `cert_manager.enabled` is false, 
      ##       all other `cert_manager` values have NO effect
      issuerName: my-cluster-issuer

If you don't already have a ClusterIssuer, see Use Let's Encrypt with Cert-Manager for an example of how to configure one.

Last update: 2024-05-10
Created: 2024-05-10