This module installs the reliable and highly available cert-manager v0.10.1 release.
The installation process automatically takes into account cluster aspects:
- the component (webhook) that the
kube-apiserveris accessing is installed on master nodes;
- if the webhook is unavailable, the
apiserviceis temporary deleted so that the unavailability of cert-manager does not block regular cluster operation.
The module itself is updated automatically (including the migration of cert-manager resources).
Features of the cert-manager module (with the changes made)
The module has all the features of the original cert-manager, including:
- Provisioning certificates of all the supported CA such as Let’s Encrypt, HashiCorp Vault, Venafi;
- Issuing self-signed certificates;
- Keeping certificates up-to-date, reissuing them automatically, etc.
Changes to the original cert-manager were made so that the
cm-acme-http-solver Pods could run on master and dedicated nodes.
The module can expose metrics in the Prometheus format, allowing you to monitor:
- certificate validity;
- correctness of the certificate reissue.
The module has several well-thought-out roles for managing resources:
User– has read-only access to Certificate & Issuers resources in the permitted namespaces and to the global clusterIssues;
Editor– manages Certificate and Issuer resources in the permitted namespaces;
ClusterEditor– manages Certificate & Issuer resources in all namespaces;
SuperAdmin– manages internal service objects.