TazLab K8s: cert-manager Detail
Level 3 (Detail) — Certificate lifecycle, ClusterIssuers, and DNS01 integration.
Concept
cert-manager automates TLS certificate provisioning and renewal across the cluster. It is installed via HelmRelease, configured with two ClusterIssuers (production and staging), and integrates with Cloudflare for DNS01 challenges.
HelmRelease
File: infrastructure/operators/cert-manager/helmrelease.yaml
| Field | Value |
|---|---|
| Chart | cert-manager |
| Version | v1.16.2 |
| Repository | jetstack |
| Namespace | cert-manager |
| Install retries | 3 |
installCRDs | true |
ClusterIssuers
File: infrastructure/configs/cert-manager/issuer.yaml
tazlab-issuer (production)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: tazlab-issuer
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@tazlab.net
solvers:
- http01:
ingress:
ingressClassName: traefik
Uses HTTP01 challenge through Traefik ingress. All certificate resources reference this issuer.
letsencrypt-staging
Same configuration but uses https://acme-staging-v02.api.letsencrypt.org/directory. Used for testing before hitting production rate limits.
Cloudflare DNS01 (Legacy)
Although the primary issuer uses HTTP01, the Cloudflare API token is still provisioned for potential DNS01 use:
File: infrastructure/configs/cert-manager/cloudflare-external-secret.yaml
Creates Secret cloudflare-api-token in namespace cert-manager with key api-token, sourced from Vault path tazlab-k8s/static/infra/cloudflare-ddns/CLOUDFLARE_API_TOKEN.
Certificate Workloads
| Certificate | Namespace | DNS Names | Issuer |
|---|---|---|---|
blog-tazlab.net-tls | hugo-blog | tazlab.net, *.tazlab.net | tazlab-issuer |
| Wildcard TLS (via ESO) | hugo-blog, hugo-wiki, dex, auth, ai-agents | *.tazlab.net | ExternalSecret (not cert-manager) |
Note: The wildcard certificate *.tazlab.net is delivered via ExternalSecret from Vault (tazlab-secrets-vault, pre-issued), not through cert-manager. cert-manager handles per-service certificates and the ClusterIssuer infrastructure.
Bridge Integration
File: infrastructure/bridge/cluster-issuer.yaml
A duplicate of tazlab-issuer is present in infrastructure/bridge/. This is applied early (Level 1) so that certificate resources in apps can reference it immediately.
DAG Position
operators-core (Level 0, installs cert-manager)
→ bridge (Level 1, creates ClusterIssuer)
→ configs (Level 2, creates ExternalSecrets including Cloudflare token)
→ instances/apps (Level 3, creates Certificate resources)
See Also
- Parent topic: Operators Inventory
- Sibling details: Traefik Detail, External Secrets Detail
- Reference: ExternalSecret Example