Gardener Extension for certificate services

Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Its main principle is to leverage Kubernetes concepts for all of its tasks.

Recently, most of the vendor specific logic has been developed in-tree. However, the project has grown to a size where it is very hard to extend, maintain, and test. With GEP-1 we have proposed how the architecture can be changed in a way to support external controllers that contain their very own vendor specifics. This way, we can keep Gardener core clean and independent.


Certificate services for Shoot clusters are provided by the composition of two components:


Example configuration which is reconciled by this extension controller:

apiVersion: certificate-service.extensions.config.gardener.cloud/v1alpha1
kind: Configuration
  name: certificate-service
  namespace: default
  issuerName: lets-encrypt
  namespaceRef: default
  resourceNamespace: garden
    email: john.doe@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    - name: clouddns-prod
      - example.io
      project: project_id
      serviceAccount: |
        "type": "service_account",
        "project_id": "demo-project"
    - name: route53-prod
      - example.org
      region: us-east-1
      accessKeyID: your-accessKeyID
      secretAccessKey: your-secretAccessKey

The extension controller will create an instance of Cert-Manager as well as a ClusterIsser with the information provided above. (Cert-Manager is responsible for managing certificate requests / renewals within the Seed cluster for configured Shoot domains)


Besides the configuration, operations also happen on Extension resources in the extensions.gardener.cloud/v1alpha1 API group of type .spec.type=certificate-service:

apiVersion: extensions.gardener.cloud/v1alpha1
kind: Extension
  name: "extension-certificate-service"
  namespace: shoot--project--abc
  type: certificate-service

During reconciliation an instance of Cert-Broker is created in the very same namespace the Extension resource belongs to (Shoot namespace). Cert-Broker relays certificate requests from the Shoot cluster to the Cert-Manager in the Seed and puts back generated certificates. Events are propagated as well.

For security reasons each Shoot cluster must be restricted to only order certificates for domains it owns. The owning domain is extracted from the respective Cluster resource.

Kubeconfig for Shoot clusters

  • cert-broker: Created with the ca secret from the Shoot's namespace in the Seed. This Kubeconfig is required by Cert-Broker to watch Ingress objects, create Secrets and Events.

  • gardener: Used to apply RBAC manifests for Cert-Broker to the Shoot cluster. The gardener secret is already provided by the Gardener-Controller-Manager.

Please find more information regarding the extensibility concepts and a detailed proposal here.

How to start using or developing this extension controller locally

You can run the controller locally on your machine by executing make start-certificate-service.

Please make sure:

  • $KUBECONFIG env is set accordingly.
  • Extension CRD + Cluster CRD are applied.
  • ca and gardener secrets for the Shoot cluster exists.
  • Configuration is in place.

Static code checks and tests can be executed by running VERIFY=true make all. We are using dep for Golang package dependency management and Ginkgo/Gomega for testing.

Feedback and Support

Feedback and contributions are always welcome. Please report bugs or suggestions as GitHub issues or join our Slack channel #gardener (please invite yourself to the Kubernetes workspace here).

Learn more!

Please find further resources about out project here:


