TazLab K8s: cert-manager Detail

Level 3 (Detail) — Certificate lifecycle, ClusterIssuers, and DNS01 integration.

Concept

cert-manager automates TLS certificate provisioning and renewal across the cluster. It is installed via HelmRelease, configured with two ClusterIssuers (production and staging), and integrates with Cloudflare for DNS01 challenges.

HelmRelease

File: infrastructure/operators/cert-manager/helmrelease.yaml

FieldValue
Chartcert-manager
Versionv1.16.2
Repositoryjetstack
Namespacecert-manager
Install retries3
installCRDstrue

ClusterIssuers

File: infrastructure/configs/cert-manager/issuer.yaml

tazlab-issuer (production)

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: tazlab-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@tazlab.net
    solvers:
      - http01:
          ingress:
            ingressClassName: traefik

Uses HTTP01 challenge through Traefik ingress. All certificate resources reference this issuer.

letsencrypt-staging

Same configuration but uses https://acme-staging-v02.api.letsencrypt.org/directory. Used for testing before hitting production rate limits.

Cloudflare DNS01 (Legacy)

Although the primary issuer uses HTTP01, the Cloudflare API token is still provisioned for potential DNS01 use:

File: infrastructure/configs/cert-manager/cloudflare-external-secret.yaml

Creates Secret cloudflare-api-token in namespace cert-manager with key api-token, sourced from Vault path tazlab-k8s/static/infra/cloudflare-ddns/CLOUDFLARE_API_TOKEN.

Certificate Workloads

CertificateNamespaceDNS NamesIssuer
blog-tazlab.net-tlshugo-blogtazlab.net, *.tazlab.nettazlab-issuer
Wildcard TLS (via ESO)hugo-blog, hugo-wiki, dex, auth, ai-agents*.tazlab.netExternalSecret (not cert-manager)

Note: The wildcard certificate *.tazlab.net is delivered via ExternalSecret from Vault (tazlab-secrets-vault, pre-issued), not through cert-manager. cert-manager handles per-service certificates and the ClusterIssuer infrastructure.

Bridge Integration

File: infrastructure/bridge/cluster-issuer.yaml

A duplicate of tazlab-issuer is present in infrastructure/bridge/. This is applied early (Level 1) so that certificate resources in apps can reference it immediately.

DAG Position

operators-core (Level 0, installs cert-manager)
→ bridge (Level 1, creates ClusterIssuer)
→ configs (Level 2, creates ExternalSecrets including Cloudflare token)
→ instances/apps (Level 3, creates Certificate resources)

See Also