README

Build Status Go Report Card

cert-manager

cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources.

It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.

It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects e.g. kube-cert-manager.

cert-manager high level overview diagram

Documentation

Documentation for cert-manager can be found at cert-manager.io. Please make sure to select the correct version of the documentation to view on the top right of the page.

Issues and PRs towards the documentation should be filed in the website repo.

For the common use-case of automatically issuing TLS certificates to Ingress resources, aka a kube-lego replacement, see the cert-manager nginx ingress quick start guide.

See Installation within the documentation for installation instructions.

Troubleshooting

If you encounter any issues whilst using cert-manager, we have a number of places you can use to try and get help.

First of all we recommend looking at the troubleshooting guide of our documentation.

The quickest way to ask a question is to first post on our Slack channel (#cert-manager) on the Kubernetes Slack. There are a lot of community members in this channel, and you can often get an answer to your question straight away!

You can also try searching for an existing issue. Properly searching for an existing issue will help reduce the number of duplicates, and help you find the answer you are looking for quicker.

Please also make sure to read through the relevant pages in the documentation before opening an issue. You can also search the documentation using the search box on the top left of the page.

If you believe you have encountered a bug, and cannot find an existing issue similar to your own, you may open a new issue. Please be sure to include as much information as possible about your environment.

Community

The cert-manager-dev Google Group is used for project wide announcements and development coordination. Anybody can join the group by visiting here and clicking "Join Group". A Google account is required to join the group.

Bi-weekly Development Meeting

Once you've joined the cert-manager-dev Google Group, you should receive an invite to the bi-weekly development meeting, hosted every other Wednesday at 5pm London time on Google Meet.

Anyone is welcome to join these calls, even if just to ask questions. Meeting notes are recorded in Google docs.

Daily Standups

You are also welcome to join our daily standup every weekday at 10.30am London time on Google Meet. For more information, see cert-manager.io.

Contributing

We welcome pull requests with open arms! There's a lot of work to do here, and we're especially concerned with ensuring the longevity and reliability of the project.

Please take a look at our issue tracker if you are unsure where to start with getting involved!

We also use the #cert-manager and #cert-manager-dev channels on Kubernetes Slack for chat relating to the project.

Developer documentation is available on the cert-manager.io website.

Coding Conventions

Code style guidelines are documented on the coding conventions page of the cert-manager website. Please try to follow those guidelines if you're submitting a pull request for cert-manager.

Importing cert-manager as a Module

⚠️ Please note that cert-manager does not currently provide a Go module compatibility guarantee. That means that most code under pkg/ is subject to change in a breaking way, even between minor or patch releases and even if the code is currently publicly exported.

This lack of a Go module compatibility guarantee does not affect API version guarantees under the Kubernetes Deprecation Policy.

Security Reporting

Security is the number one priority for cert-manager. If you think you've found a security vulnerability, we'd love to hear from you.

Please follow the instructions in SECURITY.md to report a vulnerability to the team.

Changelog

The list of releases is the best place to look for information on changes between releases.

Logo design by Zoe Paterson

Directories

Path Synopsis
cmd
ctl
devel
hack
pkg
acme/webhook
Package webhook provides a library that can be used to build external ACME solver webhooks.
Package webhook provides a library that can be used to build external ACME solver webhooks.
acme/webhook/apis/acme
Package acme contains type definitions for ACME ChallengePayload resources
Package acme contains type definitions for ACME ChallengePayload resources
acme/webhook/apis/acme/v1alpha1
Package v1alpha1 is the v1alpha1 version of the API.
Package v1alpha1 is the v1alpha1 version of the API.
api
apis/acme
Package acme contains types in the acme cert-manager API group
Package acme contains types in the acme cert-manager API group
apis/acme/v1
Package v1 is the v1 version of the API.
Package v1 is the v1 version of the API.
apis/acme/v1alpha2
Package v1alpha2 is the v1alpha2 version of the API.
Package v1alpha2 is the v1alpha2 version of the API.
apis/acme/v1alpha3
Package v1alpha3 is the v1alpha3 version of the API.
Package v1alpha3 is the v1alpha3 version of the API.
apis/acme/v1beta1
Package v1beta1 is the v1beta1 version of the API.
Package v1beta1 is the v1beta1 version of the API.
apis/certmanager
Package certmanager is the internal version of the API.
Package certmanager is the internal version of the API.
apis/certmanager/v1
Package v1 is the v1 version of the API.
Package v1 is the v1 version of the API.
apis/certmanager/v1alpha2
Package v1alpha2 is the v1alpha2 version of the API.
Package v1alpha2 is the v1alpha2 version of the API.
apis/certmanager/v1alpha3
Package v1alpha3 is the v1alpha3 version of the API.
Package v1alpha3 is the v1alpha3 version of the API.
apis/certmanager/v1beta1
Package v1beta1 is the v1beta1 version of the API.
Package v1beta1 is the v1beta1 version of the API.
apis/experimental
Package experimental contains the group containing experimental APIs.
Package experimental contains the group containing experimental APIs.
apis/meta
Package meta contains meta types for cert-manager APIs
Package meta contains meta types for cert-manager APIs
apis/meta/v1
Package meta contains meta types for cert-manager APIs +k8s:deepcopy-gen=package +k8s:openapi-gen=true +k8s:defaulter-gen=TypeMeta +gencrdrefdocs:force +groupName=meta.cert-manager.io
Package meta contains meta types for cert-manager APIs +k8s:deepcopy-gen=package +k8s:openapi-gen=true +k8s:defaulter-gen=TypeMeta +gencrdrefdocs:force +groupName=meta.cert-manager.io
client/clientset/versioned
This package has the automatically generated clientset.
This package has the automatically generated clientset.
client/clientset/versioned/fake
This package has the automatically generated fake clientset.
This package has the automatically generated fake clientset.
client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
This package contains the scheme of the automatically generated clientset.
client/clientset/versioned/typed/acme/v1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/acme/v1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/acme/v1alpha2
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/acme/v1alpha2/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/acme/v1alpha3
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/acme/v1alpha3/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/acme/v1beta1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/acme/v1beta1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/certmanager/v1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/certmanager/v1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/certmanager/v1alpha2
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/certmanager/v1alpha2/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/certmanager/v1alpha3
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/certmanager/v1alpha3/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/certmanager/v1beta1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/certmanager/v1beta1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
controller/certificates/trigger/policies
Package policies provides functionality to evaluate Certificate's state
Package policies provides functionality to evaluate Certificate's state
controller/test
Package test contains testing utilities used for constructing fake Contexts which can be used during tests.
Package test contains testing utilities used for constructing fake Contexts which can be used during tests.
ctl
issuer/acme/dns/acmedns
Package acmedns implements a DNS provider for solving DNS-01 challenges using Joohoi's acme-dns project.
Package acmedns implements a DNS provider for solving DNS-01 challenges using Joohoi's acme-dns project.
issuer/acme/dns/azuredns
Package azuredns implements a DNS provider for solving the DNS-01 challenge using Azure DNS.
Package azuredns implements a DNS provider for solving the DNS-01 challenge using Azure DNS.
issuer/acme/dns/clouddns
Package clouddns implements a DNS provider for solving the DNS-01 challenge using Google Cloud DNS.
Package clouddns implements a DNS provider for solving the DNS-01 challenge using Google Cloud DNS.
issuer/acme/dns/cloudflare
Package cloudflare implements a DNS provider for solving the DNS-01 challenge using cloudflare DNS.
Package cloudflare implements a DNS provider for solving the DNS-01 challenge using cloudflare DNS.
issuer/acme/dns/digitalocean
Package digitalocean implements a DNS provider for solving the DNS-01 challenge using digitalocean DNS.
Package digitalocean implements a DNS provider for solving the DNS-01 challenge using digitalocean DNS.
issuer/acme/dns/route53
Package route53 implements a DNS provider for solving the DNS-01 challenge using AWS Route 53 DNS.
Package route53 implements a DNS provider for solving the DNS-01 challenge using AWS Route 53 DNS.
metrics
Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"} Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"} Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"}
Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"} Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"} Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"}
util/coverage
Package coverage provides tools for coverage-instrumented binaries to collect and flush coverage information.
Package coverage provides tools for coverage-instrumented binaries to collect and flush coverage information.
test
e2e
e2e/framework/addon/base
Package base implements a basis for plugins that need to use the Kubernetes API to build upon.
Package base implements a basis for plugins that need to use the Kubernetes API to build upon.
e2e/framework/addon/vault
package vault contains an addon that installs Vault
package vault contains an addon that installs Vault
e2e/framework/util/errors
Package errors contains shared error types that tests and addons can depend upon to communicate information about why something has failed
Package errors contains shared error types that tests and addons can depend upon to communicate information about why something has failed
e2e/suite/issuers/acme/dnsproviders
Package dnsproviders contains addons that create DNS provider credentials in the target test environment.
Package dnsproviders contains addons that create DNS provider credentials in the target test environment.
e2e/suite/issuers/venafi/addon
Package addon implements an addon for the Venafi platform.
Package addon implements an addon for the Venafi platform.
e2e/suite/issuers/venafi/tpp
Package tpp implements tests for the Venafi TPP issuer
Package tpp implements tests for the Venafi TPP issuer
unit/coreclients
coreclients contains fakes for some of the types from k8s.io/client-go/kubernetes/typed/core/v1
coreclients contains fakes for some of the types from k8s.io/client-go/kubernetes/typed/core/v1
unit/gen
package gen implements helper functions to construct API resource test fixtures.
package gen implements helper functions to construct API resource test fixtures.
tools