cert-manager component configuration

To configure the cert-manager components, you can use CLI flags or a configuration file. The CLI flags take precedence over the configuration file.

CLI flags

An overview of the available CLI flags for each component can be found on the following pages:

• cert-manager controller: controller CLI flags
• cert-manager webhook: webhook CLI flags
• cert-manager cainjector: cainjector CLI flags
• cert-manager acmesolver: acmesolver CLI flags
• cert-manager cmctl: cmctl CLI flags

When using the Helm chart, the CLI flags can be specified in the extraArgs, webhook.extraArgs, cainjector.extraArgs and acmesolver.extraArgs values.

Configuration file

The configuration file is a YAML file that contains the configuration for the cert-manager components. The configuration file can be specified using the --config CLI flag. When using the Helm chart, the configuration file can be specified in the config and webhook.config values.

Controller configuration file

The webhook configuration API documentation can be found on the ControllerConfiguration page.

This is an example configuration file for the controller component:

apiVersion: controller.config.cert-manager.io/v1alpha1
kind: ControllerConfiguration

logging:
  verbosity: 2
  format: text

leaderElectionConfig:
  namespace: my-namespace

kubernetesAPIQPS: 10
kubernetesAPIBurst: 50

numberOfConcurrentWorkers: 200

enableGatewayAPI: true

featureGates:
  AdditionalCertificateOutputFormats: true
  ExperimentalCertificateSigningRequestControllers: true
  ServerSideApply: true
  LiteralCertificateSubject: true
  UseCertificateRequestBasicConstraints: true
  OtherNames: true
  NameConstraints: true
  UseDomainQualifiedFinalizer: true

Note: This is included as an example only and not intended to be used as default settings.

Webhook configuration file

The webhook configuration API documentation can be found on the WebhookConfiguration page.

Here is an example configuration file for the webhook component:

apiVersion: webhook.config.cert-manager.io/v1alpha1
kind: WebhookConfiguration

logging:
  verbosity: 2
  format: text

securePort: 6443
healthzPort: 6080

featureGates:
  AdditionalCertificateOutputFormats: true
  LiteralCertificateSubject: true
  OtherNames: true
  NameConstraints: true

Note: This is included as an example only and not intended to be used as default settings.

Feature gates

Feature gates can be used to enable or disable experimental features in cert-manager.

There are 2 levels of feature gates (more details in Kubernetes definition of feature stages):

• Alpha: feature is not yet stable and might be removed or changed in the future. Alpha features are disabled by default and need to be explicitly enabled by the user (to test the feature).
• Beta: feature is almost stable but might still change in the future. Beta features are enabled by default and can be disabled by the user (if any issues are encountered).

Each cert-manager component has its own set of feature gates. They can be enabled/ disabled using the --feature-gates flag or the featureGates value in the config file. The available feature gates for each component can be found on the following pages:

• cert-manager controller: controller feature gates
• cert-manager webhook: webhook feature gates
• cert-manager cainjector: cainjector feature gates