README
¶
cert-manager
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
It supports issuing certificates from a variety of sources, including Let's Encrypt (ACME), HashiCorp Vault, and Venafi TPP / TLS Protect Cloud, as well as local in-cluster issuance.
cert-manager also ensures certificates remain valid and up to date, attempting to renew certificates at an appropriate time before expiry to reduce the risk of outages and remove toil.
Documentation
Documentation for cert-manager can be found at cert-manager.io.
For the common use-case of automatically issuing TLS certificates for Ingress resources, see the cert-manager nginx-ingress quick start guide.
For a more comprehensive guide to issuing your first certificate, see our getting started guide.
Installation
Installation is documented on the website, with a variety of supported methods.
Developing cert-manager
We actively welcome contributions and we support both Linux and macOS environments for development.
Different platforms have different requirements; we document everything on our Building cert-manager website page.
Note in particular that macOS has several extra requirements, to ensure that modern tools are installed and available. Read the page before getting started!
Troubleshooting
If you encounter any issues whilst using cert-manager, we have a number of ways to get help:
- A troubleshooting guide on our website.
- Our official Kubernetes Slack channel - the quickest way to ask! (#cert-manager and #cert-manager-dev)
- Searching for an existing issue.
If you believe you've found a bug and cannot find an existing issue, feel free to open a new issue! Be sure to include as much information as you can about your environment.
Community
The cert-manager-dev Google Group is used for project wide announcements and development coordination.
Anybody can join the group by visiting here
and clicking "Join Group". A Google account is required to join the group.
Meetings
We have several public meetings which any member of our Google Group is more than welcome to join!
Check out the details on our website. Feel free to drop in and ask questions, chat with us or just to say hi!
Contributing
We welcome pull requests with open arms! There's a lot of work to do here, and we're especially concerned with ensuring the longevity and reliability of the project. The contributing guide will help you get started.
Coding Conventions
Code style guidelines are documented on the coding conventions page of the cert-manager website. Please try to follow those guidelines if you're submitting a pull request for cert-manager.
Importing cert-manager as a Module
⚠️ Please note that cert-manager does not currently provide a Go module compatibility guarantee. That means that
most code under pkg/ is subject to change in a breaking way, even between minor or patch releases and even if
the code is currently publicly exported.
The lack of a Go module compatibility guarantee does not affect API version guarantees under the Kubernetes Deprecation Policy.
For more details see Importing cert-manager in Go on the cert-manager website.
The import path for cert-manager versions 1.8 and later is github.com/cert-manager/cert-manager.
For all versions of cert-manager before 1.8, including minor and patch releases, the import path is github.com/jetstack/cert-manager.
Security Reporting
Security is the number one priority for cert-manager. If you think you've found a security vulnerability, we'd love to hear from you.
Follow the instructions in SECURITY.md to make a report.
Changelog
Every release on GitHub has a changelog, and we also publish release notes on the website.
History
cert-manager is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects such as kube-cert-manager.
Logo design by Zoe Paterson
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
ctl
Module
|
|
|
hack
|
|
|
internal
|
|
|
apis/acme
Package acme is the internal version of the API.
|
Package acme is the internal version of the API. |
|
apis/acme/install
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery. |
|
apis/acme/v1
+groupName=acme.cert-manager.io
|
+groupName=acme.cert-manager.io |
|
apis/acme/v1alpha2
+groupName=acme.cert-manager.io
|
+groupName=acme.cert-manager.io |
|
apis/acme/v1alpha3
+groupName=acme.cert-manager.io
|
+groupName=acme.cert-manager.io |
|
apis/acme/v1beta1
+groupName=acme.cert-manager.io
|
+groupName=acme.cert-manager.io |
|
apis/certmanager
Package certmanager is the internal version of the API.
|
Package certmanager is the internal version of the API. |
|
apis/certmanager/install
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery. |
|
apis/certmanager/v1
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
|
apis/certmanager/v1alpha2
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
|
apis/certmanager/v1alpha3
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
|
apis/certmanager/v1beta1
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
|
apis/config/cainjector
Package cainjector is the internal version of the cainjector config API.
|
Package cainjector is the internal version of the cainjector config API. |
|
apis/config/cainjector/install
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery. |
|
apis/config/cainjector/v1alpha1
+groupName=cainjector.config.cert-manager.io
|
+groupName=cainjector.config.cert-manager.io |
|
apis/config/controller
Package controller is the internal version of the controller config API.
|
Package controller is the internal version of the controller config API. |
|
apis/config/controller/install
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery. |
|
apis/config/controller/v1alpha1
+groupName=controller.config.cert-manager.io
|
+groupName=controller.config.cert-manager.io |
|
apis/config/shared
Package shared contains shared types for the cert-manager configuration API
|
Package shared contains shared types for the cert-manager configuration API |
|
apis/config/webhook
Package webhook is the internal version of the webhook config API.
|
Package webhook is the internal version of the webhook config API. |
|
apis/config/webhook/install
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery. |
|
apis/config/webhook/v1alpha1
+groupName=webhook.config.cert-manager.io
|
+groupName=webhook.config.cert-manager.io |
|
apis/meta
Package meta is the internal version of the API.
|
Package meta is the internal version of the API. |
|
apis/meta/install
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery. |
|
apis/meta/v1
+groupName=meta.cert-manager.io
|
+groupName=meta.cert-manager.io |
|
cainjector/feature
feature contains cainjector feature gate setup code.
|
feature contains cainjector feature gate setup code. |
|
controller/certificates/policies
Package policies provides functionality to evaluate Certificate's state
|
Package policies provides functionality to evaluate Certificate's state |
|
controller/feature
feature contains controller's feature gate setup functionality.
|
feature contains controller's feature gate setup functionality. |
|
vault/fake
Package fake contains a fake Vault signer for use in tests
|
Package fake contains a fake Vault signer for use in tests |
|
webhook/feature
feature contains webhook's feature gate setup functionality.
|
feature contains webhook's feature gate setup functionality. |
|
make
|
|
|
pkg
|
|
|
acme/webhook
Package webhook provides a library that can be used to build external ACME solver webhooks.
|
Package webhook provides a library that can be used to build external ACME solver webhooks. |
|
acme/webhook/apis/acme
Package acme contains type definitions for ACME ChallengePayload resources
|
Package acme contains type definitions for ACME ChallengePayload resources |
|
acme/webhook/apis/acme/v1alpha1
Package v1alpha1 is the v1alpha1 version of the API.
|
Package v1alpha1 is the v1alpha1 version of the API. |
|
apis/acme
Package acme contains types in the acme cert-manager API group
|
Package acme contains types in the acme cert-manager API group |
|
apis/acme/v1
Package v1 is the v1 version of the API.
|
Package v1 is the v1 version of the API. |
|
apis/certmanager
Package certmanager is the internal version of the API.
|
Package certmanager is the internal version of the API. |
|
apis/certmanager/v1
Package v1 is the v1 version of the API.
|
Package v1 is the v1 version of the API. |
|
apis/config/cainjector
Package cainjector contains types used to configure the cainjector
|
Package cainjector contains types used to configure the cainjector |
|
apis/config/cainjector/v1alpha1
Package v1alpha1 is the v1alpha1 version of the cainjector config API.
|
Package v1alpha1 is the v1alpha1 version of the cainjector config API. |
|
apis/config/controller
Package controller contains types used to configure the controller
|
Package controller contains types used to configure the controller |
|
apis/config/controller/v1alpha1
Package v1alpha1 is the v1alpha1 version of the controller config API.
|
Package v1alpha1 is the v1alpha1 version of the controller config API. |
|
apis/config/shared
Package shared contains shared types for the cert-manager configuration API
|
Package shared contains shared types for the cert-manager configuration API |
|
apis/config/shared/v1alpha1
+k8s:deepcopy-gen=package,register
|
+k8s:deepcopy-gen=package,register |
|
apis/config/webhook
Package webhook contains types used to configure the webhook
|
Package webhook contains types used to configure the webhook |
|
apis/config/webhook/v1alpha1
Package v1alpha1 is the v1alpha1 version of the webhook config API.
|
Package v1alpha1 is the v1alpha1 version of the webhook config API. |
|
apis/experimental
Package experimental contains the group containing experimental APIs.
|
Package experimental contains the group containing experimental APIs. |
|
apis/meta
Package meta contains meta types for cert-manager APIs
|
Package meta contains meta types for cert-manager APIs |
|
apis/meta/v1
Package v1 contains meta types for cert-manager APIs +k8s:deepcopy-gen=package +gencrdrefdocs:force +groupName=meta.cert-manager.io
|
Package v1 contains meta types for cert-manager APIs +k8s:deepcopy-gen=package +gencrdrefdocs:force +groupName=meta.cert-manager.io |
|
client/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
client/clientset/versioned/typed/acme/v1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
client/clientset/versioned/typed/acme/v1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
client/clientset/versioned/typed/certmanager/v1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
client/clientset/versioned/typed/certmanager/v1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
controller/test
Package test contains testing utilities used for constructing fake Contexts which can be used during tests.
|
Package test contains testing utilities used for constructing fake Contexts which can be used during tests. |
|
issuer/acme/dns/acmedns
Package acmedns implements a DNS provider for solving DNS-01 challenges using Joohoi's acme-dns project.
|
Package acmedns implements a DNS provider for solving DNS-01 challenges using Joohoi's acme-dns project. |
|
issuer/acme/dns/akamai
Package akamai implements a DNS provider for solving the DNS-01 challenge using Akamai Edge DNS.
|
Package akamai implements a DNS provider for solving the DNS-01 challenge using Akamai Edge DNS. |
|
issuer/acme/dns/azuredns
Package azuredns implements a DNS provider for solving the DNS-01 challenge using Azure DNS.
|
Package azuredns implements a DNS provider for solving the DNS-01 challenge using Azure DNS. |
|
issuer/acme/dns/clouddns
Package clouddns implements a DNS provider for solving the DNS-01 challenge using Google Cloud DNS.
|
Package clouddns implements a DNS provider for solving the DNS-01 challenge using Google Cloud DNS. |
|
issuer/acme/dns/cloudflare
Package cloudflare implements a DNS provider for solving the DNS-01 challenge using cloudflare DNS.
|
Package cloudflare implements a DNS provider for solving the DNS-01 challenge using cloudflare DNS. |
|
issuer/acme/dns/digitalocean
Package digitalocean implements a DNS provider for solving the DNS-01 challenge using digitalocean DNS.
|
Package digitalocean implements a DNS provider for solving the DNS-01 challenge using digitalocean DNS. |
|
issuer/acme/dns/route53
Package route53 implements a DNS provider for solving the DNS-01 challenge using AWS Route 53 DNS.
|
Package route53 implements a DNS provider for solving the DNS-01 challenge using AWS Route 53 DNS. |
|
metrics
Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace, issuer_name, issuer_kind, issuer_group} certificate_renewal_timestamp_seconds{name, namespace, issuer_name, issuer_kind, issuer_group} certificate_ready_status{name, namespace, condition, issuer_name, issuer_kind, issuer_group} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} venafi_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"}
|
Package metrics contains global structures related to metrics collection cert-manager exposes the following metrics: certificate_expiration_timestamp_seconds{name, namespace, issuer_name, issuer_kind, issuer_group} certificate_renewal_timestamp_seconds{name, namespace, issuer_name, issuer_kind, issuer_group} certificate_ready_status{name, namespace, condition, issuer_name, issuer_kind, issuer_group} acme_client_request_count{"scheme", "host", "path", "method", "status"} acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} venafi_client_request_duration_seconds{"scheme", "host", "path", "method", "status"} controller_sync_call_count{"controller"} |
|
util/pki
This file contains some code copied from the Go standard library under the following license: https://github.com/golang/go/blob/c95fe91d0715dc0a8d55ac80a80f383c3635548b/LICENSE
|
This file contains some code copied from the Go standard library under the following license: https://github.com/golang/go/blob/c95fe91d0715dc0a8d55ac80a80f383c3635548b/LICENSE |
|
test
|
|
|
acme
package dns contains a framework for testing ACME DNS solver implementations.
|
package dns contains a framework for testing ACME DNS solver implementations. |
|
apiserver
package apiserver contains functionality to set up a Kubernetes control plane for tests.
|
package apiserver contains functionality to set up a Kubernetes control plane for tests. |
|
unit/coreclients
coreclients contains fakes for some of the types from k8s.io/client-go/kubernetes/typed/core/v1
|
coreclients contains fakes for some of the types from k8s.io/client-go/kubernetes/typed/core/v1 |
|
unit/gen
package gen implements helper functions to construct API resource test fixtures.
|
package gen implements helper functions to construct API resource test fixtures. |