Annotations
You can generally tune Certificate requests by adding annotations to Ingress and Gateway resources.
acme.cert-manager.io/http01-edit-in-place
this controls whether the ingress is modified 'in-place', or a new one is created
specifically for the HTTP01 challenge. If present, and set to "true", the existing
ingress will be modified. Any other value, or the absence of the annotation assumes
"false".
This annotation will also add the annotation
"cert-manager.io/issue-temporary-certificate": "true" onto created certificates
which will cause a
temporary certificate
to be set on the resulting Secret until the final signed certificate has been
returned.
This is useful for keeping compatibility with the ingress-gce component.
acme.cert-manager.io/http01-ingress-class
this annotation allows you to configure the ingress class that will be used to
solve challenges for this ingress. Customizing this is useful when you are
trying to secure internal services, and need to solve challenges using a
different ingress class to that of the ingress. If not specified and the
acme-http01-edit-in-place annotation is not set, this defaults to the ingress
class defined in the Issuer resource.
cert-manager.io/allow-direct-injection
Secret
allows the cainjector to inject secret CA certificate contents into other objects that have cert-manager.io/inject-ca-from-secret.
cert-manager.io/alt-names
this annotation allows you to configure spec.dnsNames field for
the Certificate to be generated.
Supports comma-separated values e.g. "example.com,example.org"
cert-manager.io/certificate-name
name of the related certificate.
cert-manager.io/certificate-revision
the iteration the certificate request.
cert-manager.io/cluster-issuer
the name of a cert-manager.io ClusterIssuer that should issue the required certificate.
cert-manager.io/common-name
this annotation allows you to configure spec.commonName for the Certificate
to be generated.
cert-manager.io/duration
this annotation allows you to configure spec.duration field for the
Certificate to be generated.
cert-manager.io/email-sans
this annotation allows you to configure spec.emailAddresses field for
the Certificate to be generated.
Supports comma-separated values e.g. "me@example.com,you@example.com"
cert-manager.io/ip-sans
this annotation allows you to configure spec.ipAddresses field for
the Certificate to be generated.
Supports comma-separated values e.g. "198.51.100.1,198.51.100.2"
cert-manager.io/issuer-group
the API group of the external issuer controller, for example
awspca.cert-manager.io. This is only necessary for out-of-tree issuers.
cert-manager.io/issuer-kind
the kind of the external issuer resource, for example AWSPCAIssuer. This
is only necessary for out-of-tree issuers.
cert-manager.io/issuer-name
the name of a cert-manager.io Issuer that should issue the required certificate.
cert-manager.io/issuer
the name of the issuer that should issue the required certificate.
cert-manager.io/issue-temporary-certificate
cause a temporary
certificate to
be set on the resulting Secret until the final signed certificate has been
returned.
This is useful for keeping compatibility with the ingress-gce component.
cert-manager.io/inject-apiserver-ca
cause the cainjector to inject the CA certificate for the Kubernetes apiserver into the resource.
cert-manager.io/inject-ca-from
cause the cainjector to inject a certificate with CA certificate. ??
cert-manager.io/inject-ca-from-secret
cause the cainjector to inject a CA Certificate from a secret.
cert-manager.io/private-key-algorithm
this annotation allows you to configure spec.privateKey.algorithm field to set
the algorithm for private key generation for a Certificate.
Valid values are RSA, ECDSA and Ed25519.
If unset an algorithm RSA will be used.
cert-manager.io/private-key-encoding
this annotation allows you to configure spec.privateKey.encoding field to set
the encoding for private key generation for a Certificate.
Valid values are PKCS1 and PKCS8. If unset an algorithm PKCS1 will be used.
cert-manager.io/private-key-rotation-policy
this annotation allows you to configure spec.privateKey.rotationPolicy field
to set the rotation policy of the private key for a Certificate.
Valid values are Never and Always. If unset a rotation policy Never will
be used.
cert-manager.io/private-key-secret-name
references the secret that stores the private key used to sign a x509 certificate signing request.
cert-manager.io/private-key-size
this annotation allows you to configure spec.privateKey.size field to set the
size of the private key for a Certificate.
If algorithm is set to RSA, valid values are 2048, 4096 or 8192, and
will default to 2048 if not specified.
If algorithm is set to ECDSA, valid values are 256, 384 or 521, and
will default to 256 if not specified.
If algorithm is set to Ed25519, size is ignored.
cert-manager.io/renew-before
this annotation allows you to configure spec.renewBefore field for the
Certificate to be generated.
cert-manager.io/renew-before-percentage
this annotation allows you to configure spec.renewBeforePercentage field for the
Certificate to be generated.
cert-manager.io/revision-history-limit
this annotation allows you to configure spec.revisionHistoryLimit field to
limit the number of CertificateRequests to be kept for a Certificate.
Minimum value is 1. If unset all CertificateRequests will be kept.
cert-manager.io/secret-template
this annotation allows you to set the secretTemplate field in the generated Certificate.
cert-manager.io/subject-countries
this annotation allows you to configure spec.subject.countries field for the
Certificate to be generated.
Supports comma-separated values e.g. "Country 1,Country 2"
cert-manager.io/subject-localities
this annotation allows you to configure spec.subject.localities field for the
Certificate to be generated.
Supports comma-separated values e.g. "City 1,City 2"
cert-manager.io/subject-organizationalunits
this annotation allows you to configure spec.subject.organizationalUnits field
for the Certificate to be generated.
Supports comma-separated values e.g. "IT Services,Cloud Services"
cert-manager.io/subject-organizations
this annotation allows you to configure spec.subject.organizations field for
the Certificate to be generated.
Supports comma-separated values e.g. "Company 1,Company 2"
cert-manager.io/subject-postalcodes
this annotation allows you to configure spec.subject.postalCodes field for
the Certificate to be generated.
Supports comma-separated values e.g. "123ABC,456DEF"
cert-manager.io/subject-provinces
this annotation allows you to
configure spec.subject.provinces field for the Certificate to be generated.
Supports comma-separated values e.g. "Province 1,Province 2"
cert-manager.io/subject-serialnumber
this annotation allows you to
configure spec.subject.serialNumber field for the Certificate to be
generated.
Supports comma-separated values e.g. "10978342379280287615,1111144445555522228888"
cert-manager.io/subject-streetaddresses
this annotation allows you to
configure spec.subject.streetAddresses field for the Certificate to be
generated.
Supports comma-separated values e.g. "123 Example St,456 Other Blvd"
cert-manager.io/uri-sans
this annotation allows you to configure spec.uris field for
the Certificate to be generated.
Supports comma-separated values e.g. "spiffe://cluster.local/ns/sandbox/sa/example"
cert-manager.io/usages
this annotation allows you to configure spec.usages field for the Certificate
to be generated. Pass a string with comma-separated values i.e.
"key agreement,digital signature, server auth".
experimental.cert-manager.io/request-duration
annotation used to request a particular duration.
experimental.cert-manager.io/request-is-ca
annotation used to request a certificate be marked as CA.
experimental.cert-manager.io/private-key-secret-name
annotation key used by the 'self signing' issuer type to self-sign certificates to reference a Secret resource containing the private key used to sign the request.
kubernetes.io/ingress.class
deprecated. You should use spec.ingressClassName instead.
kubernetes.io/tls-acme
this annotation requires additional configuration of the
ingress-shim.
Namely, a default Issuer must be specified as arguments to the ingress-shim
container.
venafi.cert-manager.io/custom-fields
pass JSON encoded custom fields to the CyberArk issuer.
venafi.cert-manager.io/pickup-id
records the Pickup ID of a certificate signing request in CyberArk Certificate Manager.
