README

Build Status Go Report Card

cert-manager

cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources.

It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.

It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects e.g. kube-cert-manager.

cert-manager high level overview diagram

Current status

As this project is pre-1.0, we do not currently offer strong guarantees around our API stability.

Notably, we may choose to make breaking changes to our API specification (i.e. the Issuer, ClusterIssuer and Certificate resources) in new minor releases.

These will always be clearly documented in the upgrade section of the documentation.

Documentation

Documentation for cert-manager can be found at cert-manager.io. Please make sure to select the correct version of the documentation to view on the top right of the page.

For the common use-case of automatically issuing TLS certificates to Ingress resources, aka a kube-lego replacement, see the cert-manager nginx ingress quick start guide.

See Installation within the documentation for installation instructions.

Troubleshooting

If you encounter any issues whilst using cert-manager, we have a number of places you can use to try and get help.

The quickest way to ask a question is to first post on our Slack channel (#cert-manager) on the Kubernetes Slack. There are a lot of community members in this channel, and you can often get an answer to your question straight away!

You can also try searching for an existing issue. Properly searching for an existing issue will help reduce the number of duplicates, and help you find the answer you are looking for quicker.

Please also make sure to read through the relevant pages in the documentation before opening an issue. You can also search the documentation using the search box on the top left of the page.

If you believe you have encountered a bug, and cannot find an existing issue similar to your own, you may open a new issue. Please be sure to include as much information as possible about your environment.

Community

There is a Google Group used for project wide announcements and development coordination. Anybody can join the group by visiting here and clicking "Join Group". A Google account is required to join the group.

Bi-weekly development meeting

Once you have become a member, you should receive an invite to the bi-weekly development meeting, hosted on Wednesdays at 5pm UK Time on Zoom.us.

Anyone is welcome to join these calls, even if just to ask questions.
Meeting notes are recorded in Google docs.

Daily standups

You are also welcome to join our daily standup every day at 10.30am UK Time on Google Meet. Invites are sent via the Google Group

Contributing

We welcome pull requests with open arms! There's a lot of work to do here, and we're especially concerned with ensuring the longevity and reliability of the project.

Please take a look at our issue tracker if you are unsure where to start with getting involved!

We also use the #cert-manager channel on kubernetes.slack.com for chat relating to the project.

Developer documentation is available in the official documentation.

Changelog

The list of releases is the best place to look for information on changes between releases.

Logo design by Zoe Paterson

Expand ▾ Collapse ▴

Directories

Path Synopsis
cmd/acmesolver
cmd/acmesolver/app
cmd/cainjector
cmd/cainjector/app
cmd/controller
cmd/controller/app
cmd/controller/app/options
cmd/ctl
cmd/ctl/cmd
cmd/ctl/pkg/convert
cmd/ctl/pkg/create
cmd/ctl/pkg/create/certificaterequest
cmd/ctl/pkg/renew
cmd/ctl/pkg/status
cmd/ctl/pkg/status/certificate
cmd/ctl/pkg/status/util
cmd/ctl/pkg/util
cmd/ctl/pkg/version
cmd/webhook
cmd/webhook/app
cmd/webhook/app/options
cmd/webhook/app/testing
devel/addon/samplewebhook/sample
hack/api-migration
hack/filter-crd
pkg/acme
pkg/acme/accounts
pkg/acme/accounts/test
pkg/acme/client
pkg/acme/client/middleware
pkg/acme/webhook
pkg/acme/webhook/apis/acme Package acme contains type definitions for ACME ChallengePayload resources
pkg/acme/webhook/apis/acme/v1alpha1 Package v1alpha1 is the v1alpha1 version of the API.
pkg/acme/webhook/apiserver
pkg/acme/webhook/cmd
pkg/acme/webhook/cmd/server
pkg/acme/webhook/registry/challengepayload
pkg/api
pkg/api/testing
pkg/api/util
pkg/apis
pkg/apis/acme Package acme contains types in the acme cert-manager API group
pkg/apis/acme/v1alpha2 Package v1alpha2 is the v1alpha2 version of the API.
pkg/apis/acme/v1alpha3 Package v1alpha3 is the v1alpha3 version of the API.
pkg/apis/acme/v1beta1 Package v1beta1 is the v1beta1 version of the API.
pkg/apis/certmanager Package certmanager is the internal version of the API.
pkg/apis/certmanager/v1alpha2 Package v1alpha2 is the v1alpha2 version of the API.
pkg/apis/certmanager/v1alpha3 Package v1alpha3 is the v1alpha3 version of the API.
pkg/apis/certmanager/v1beta1 Package v1beta1 is the v1beta1 version of the API.
pkg/apis/meta Package meta contains meta types for cert-manager APIs
pkg/apis/meta/v1 Package meta contains meta types for cert-manager APIs +k8s:deepcopy-gen=package +k8s:openapi-gen=true +k8s:defaulter-gen=TypeMeta +gencrdrefdocs:force +groupName=meta.cert-manager.io
pkg/client/clientset/versioned This package has the automatically generated clientset.
pkg/client/clientset/versioned/fake This package has the automatically generated fake clientset.
pkg/client/clientset/versioned/scheme This package contains the scheme of the automatically generated clientset.
pkg/client/clientset/versioned/typed/acme/v1alpha2 This package has the automatically generated typed clients.
pkg/client/clientset/versioned/typed/acme/v1alpha2/fake Package fake has the automatically generated clients.
pkg/client/clientset/versioned/typed/acme/v1alpha3 This package has the automatically generated typed clients.
pkg/client/clientset/versioned/typed/acme/v1alpha3/fake Package fake has the automatically generated clients.
pkg/client/clientset/versioned/typed/acme/v1beta1 This package has the automatically generated typed clients.
pkg/client/clientset/versioned/typed/acme/v1beta1/fake Package fake has the automatically generated clients.
pkg/client/clientset/versioned/typed/certmanager/v1alpha2 This package has the automatically generated typed clients.
pkg/client/clientset/versioned/typed/certmanager/v1alpha2/fake Package fake has the automatically generated clients.
pkg/client/clientset/versioned/typed/certmanager/v1alpha3 This package has the automatically generated typed clients.
pkg/client/clientset/versioned/typed/certmanager/v1alpha3/fake Package fake has the automatically generated clients.
pkg/client/clientset/versioned/typed/certmanager/v1beta1 This package has the automatically generated typed clients.
pkg/client/clientset/versioned/typed/certmanager/v1beta1/fake Package fake has the automatically generated clients.
pkg/client/informers/externalversions
pkg/client/informers/externalversions/acme
pkg/client/informers/externalversions/acme/v1alpha2
pkg/client/informers/externalversions/acme/v1alpha3
pkg/client/informers/externalversions/acme/v1beta1
pkg/client/informers/externalversions/certmanager
pkg/client/informers/externalversions/certmanager/v1alpha2
pkg/client/informers/externalversions/certmanager/v1alpha3
pkg/client/informers/externalversions/certmanager/v1beta1
pkg/client/informers/externalversions/internalinterfaces
pkg/client/listers/acme/v1alpha2
pkg/client/listers/acme/v1alpha3
pkg/client/listers/acme/v1beta1
pkg/client/listers/certmanager/v1alpha2
pkg/client/listers/certmanager/v1alpha3
pkg/client/listers/certmanager/v1beta1
pkg/controller
pkg/controller/acmechallenges
pkg/controller/acmechallenges/scheduler
pkg/controller/acmeorders
pkg/controller/acmeorders/selectors
pkg/controller/cainjector
pkg/controller/certificaterequests
pkg/controller/certificaterequests/acme
pkg/controller/certificaterequests/ca
pkg/controller/certificaterequests/fake
pkg/controller/certificaterequests/selfsigned
pkg/controller/certificaterequests/util
pkg/controller/certificaterequests/vault
pkg/controller/certificaterequests/venafi
pkg/controller/certificates
pkg/controller/certificates/internal/secretsmanager
pkg/controller/certificates/internal/test
pkg/controller/certificates/issuing
pkg/controller/certificates/keymanager
pkg/controller/certificates/metrics
pkg/controller/certificates/readiness
pkg/controller/certificates/requestmanager
pkg/controller/certificates/trigger
pkg/controller/certificates/trigger/policies
pkg/controller/clusterissuers
pkg/controller/ingress-shim
pkg/controller/issuers
pkg/controller/test Package test contains testing utilities used for constructing fake Contexts which can be used during tests.
pkg/ctl This package was created to have a scheme that has the internal cert-manager types, and their conversion functions as well as the List object type registered, which is needed for ctl command like `convert` or `create certificaterequest`.
pkg/feature
pkg/internal/api/validation Package validation allows a caller to automatically register, lookup and call API validation functions.
pkg/internal/apis/acme Package acme is the internal version of the API.
pkg/internal/apis/acme/fuzzer
pkg/internal/apis/acme/install Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/internal/apis/acme/v1alpha2 +groupName=acme.cert-manager.io
pkg/internal/apis/acme/v1alpha3 +groupName=acme.cert-manager.io
pkg/internal/apis/acme/v1beta1 +groupName=acme.cert-manager.io
pkg/internal/apis/acme/validation
pkg/internal/apis/certmanager Package certmanager is the internal version of the API.
pkg/internal/apis/certmanager/fuzzer
pkg/internal/apis/certmanager/install Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/internal/apis/certmanager/v1alpha2 +groupName=cert-manager.io
pkg/internal/apis/certmanager/v1alpha3 +groupName=cert-manager.io
pkg/internal/apis/certmanager/v1beta1 +groupName=cert-manager.io
pkg/internal/apis/certmanager/validation
pkg/internal/apis/certmanager/validation/util
pkg/internal/apis/meta Package meta is the internal version of the API.
pkg/internal/apis/meta/fuzzer
pkg/internal/apis/meta/install Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/internal/apis/meta/v1 +groupName=meta.cert-manager.io
pkg/internal/vault
pkg/internal/vault/fake
pkg/issuer
pkg/issuer/acme
pkg/issuer/acme/dns
pkg/issuer/acme/dns/acmedns Package acmedns implements a DNS provider for solving DNS-01 challenges using Joohoi's acme-dns project.
pkg/issuer/acme/dns/akamai Package akamai implements a DNS provider for solving the DNS-01 challenge using Akamai FastDNS.
pkg/issuer/acme/dns/azuredns Package azuredns implements a DNS provider for solving the DNS-01 challenge using Azure DNS.
pkg/issuer/acme/dns/clouddns Package clouddns implements a DNS provider for solving the DNS-01 challenge using Google Cloud DNS.
pkg/issuer/acme/dns/cloudflare Package cloudflare implements a DNS provider for solving the DNS-01 challenge using cloudflare DNS.
pkg/issuer/acme/dns/digitalocean Package digitalocean implements a DNS provider for solving the DNS-01 challenge using digitalocean DNS.
pkg/issuer/acme/dns/rfc2136
pkg/issuer/acme/dns/route53 Package route53 implements a DNS provider for solving the DNS-01 challenge using AWS Route 53 DNS.
pkg/issuer/acme/dns/util
pkg/issuer/acme/dns/webhook
pkg/issuer/acme/http
pkg/issuer/acme/http/solver
pkg/issuer/ca
pkg/issuer/fake
pkg/issuer/selfsigned
pkg/issuer/vault
pkg/issuer/venafi
pkg/issuer/venafi/client
pkg/issuer/venafi/client/api
pkg/issuer/venafi/client/fake
pkg/logs
pkg/logs/testing
pkg/metrics Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"} Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"} Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace} certificate_ready_status{name, namespace, condition} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"}
pkg/scheduler
pkg/util
pkg/util/cmd
pkg/util/coverage Package coverage provides tools for coverage-instrumented binaries to collect and flush coverage information.
pkg/util/errors
pkg/util/feature
pkg/util/kube
pkg/util/pki
pkg/util/predicate
pkg/util/profiling
pkg/webhook
pkg/webhook/authority
pkg/webhook/handlers
pkg/webhook/server
pkg/webhook/server/tls
test/acme/dns
test/acme/dns/server
test/e2e
test/e2e/bin/cloudflare-clean
test/e2e/framework
test/e2e/framework/addon
test/e2e/framework/addon/base Package base implements a basis for plugins that need to use the Kubernetes API to build upon.
test/e2e/framework/addon/chart
test/e2e/framework/addon/vault package vault contains an addon that installs Vault
test/e2e/framework/config
test/e2e/framework/helper
test/e2e/framework/log
test/e2e/framework/matcher
test/e2e/framework/util
test/e2e/framework/util/errors Package errors contains shared error types that tests and addons can depend upon to communicate information about why something has failed
test/e2e/suite
test/e2e/suite/conformance
test/e2e/suite/conformance/certificates
test/e2e/suite/conformance/certificates/acme
test/e2e/suite/conformance/certificates/ca
test/e2e/suite/conformance/certificates/selfsigned
test/e2e/suite/conformance/certificates/vault
test/e2e/suite/conformance/certificates/venafi
test/e2e/suite/conformance/rbac
test/e2e/suite/issuers
test/e2e/suite/issuers/acme
test/e2e/suite/issuers/acme/certificate
test/e2e/suite/issuers/acme/certificaterequest
test/e2e/suite/issuers/acme/dnsproviders Package dnsproviders contains addons that create DNS provider credentials in the target test environment.
test/e2e/suite/issuers/ca
test/e2e/suite/issuers/selfsigned
test/e2e/suite/issuers/vault
test/e2e/suite/issuers/vault/certificate
test/e2e/suite/issuers/vault/certificaterequest
test/e2e/suite/issuers/venafi
test/e2e/suite/issuers/venafi/addon Package addon implements an addon for the Venafi platform.
test/e2e/suite/issuers/venafi/tpp Package tpp implements tests for the Venafi TPP issuer
test/e2e/suite/serving
test/e2e/util
test/integration/framework
test/unit/gen package gen implements helper functions to construct API resource test fixtures.
test/unit/listers
tools/cobra