Annotations

You can generally tune Certificate requests by adding annotations to Ingress and Gateway resources.

acme.cert-manager.io/http01-edit-in-place

Ingress

this controls whether the ingress is modified 'in-place', or a new one is created specifically for the HTTP01 challenge. If present, and set to "true", the existing ingress will be modified. Any other value, or the absence of the annotation assumes "false". This annotation will also add the annotation "cert-manager.io/issue-temporary-certificate": "true" onto created certificates which will cause a temporary certificate to be set on the resulting Secret until the final signed certificate has been returned. This is useful for keeping compatibility with the ingress-gce component.

acme.cert-manager.io/http01-ingress-class

Ingress

this annotation allows you to configure the ingress class that will be used to solve challenges for this ingress. Customizing this is useful when you are trying to secure internal services, and need to solve challenges using a different ingress class to that of the ingress. If not specified and the acme-http01-edit-in-place annotation is not set, this defaults to the ingress class defined in the Issuer resource.

cert-manager.io/allow-direct-injection

Secret

allows the cainjector to inject secret CA certificate contents into other objects that have cert-manager.io/inject-ca-from-secret.

cert-manager.io/alt-names

Certificate

this annotation allows you to configure spec.dnsNames field for the Certificate to be generated. Supports comma-separated values e.g. "example.com,example.org"

cert-manager.io/certificate-name

CertificateRequest

name of the related certificate.

cert-manager.io/certificate-revision

CertificateRequest

the iteration the certificate request.

cert-manager.io/cluster-issuer

the name of a cert-manager.io ClusterIssuer that should issue the required certificate.

cert-manager.io/common-name

this annotation allows you to configure spec.commonName for the Certificate to be generated.

cert-manager.io/duration

this annotation allows you to configure spec.duration field for the Certificate to be generated.

cert-manager.io/email-sans

this annotation allows you to configure spec.emailAddresses field for the Certificate to be generated. Supports comma-separated values e.g. "me@example.com,you@example.com"

cert-manager.io/ip-sans

this annotation allows you to configure spec.ipAddresses field for the Certificate to be generated. Supports comma-separated values e.g. "198.51.100.1,198.51.100.2"

cert-manager.io/issuer-group

the API group of the external issuer controller, for example awspca.cert-manager.io. This is only necessary for out-of-tree issuers.

cert-manager.io/issuer-kind

the kind of the external issuer resource, for example AWSPCAIssuer. This is only necessary for out-of-tree issuers.

cert-manager.io/issuer-name

the name of a cert-manager.io Issuer that should issue the required certificate.

cert-manager.io/issuer

the name of the issuer that should issue the required certificate.

cert-manager.io/issue-temporary-certificate

Certificate

cause a temporary certificate to be set on the resulting Secret until the final signed certificate has been returned. This is useful for keeping compatibility with the ingress-gce component.

cert-manager.io/inject-apiserver-ca

cause the cainjector to inject the CA certificate for the Kubernetes apiserver into the resource.

cert-manager.io/inject-ca-from

cause the cainjector to inject a certificate with CA certificate. ??

cert-manager.io/inject-ca-from-secret

cause the cainjector to inject a CA Certificate from a secret.

cert-manager.io/private-key-algorithm

this annotation allows you to configure spec.privateKey.algorithm field to set the algorithm for private key generation for a Certificate. Valid values are RSA, ECDSA and Ed25519. If unset an algorithm RSA will be used.

cert-manager.io/private-key-encoding

this annotation allows you to configure spec.privateKey.encoding field to set the encoding for private key generation for a Certificate. Valid values are PKCS1 and PKCS8. If unset an algorithm PKCS1 will be used.

cert-manager.io/private-key-rotation-policy

this annotation allows you to configure spec.privateKey.rotationPolicy field to set the rotation policy of the private key for a Certificate. Valid values are Never and Always. If unset a rotation policy Never will be used.

cert-manager.io/private-key-secret-name

CertificateRequest

references the secret that stores the private key used to sign a x509 certificate signing request.

cert-manager.io/private-key-size

this annotation allows you to configure spec.privateKey.size field to set the size of the private key for a Certificate. If algorithm is set to RSA, valid values are 2048, 4096 or 8192, and will default to 2048 if not specified. If algorithm is set to ECDSA, valid values are 256, 384 or 521, and will default to 256 if not specified. If algorithm is set to Ed25519, size is ignored.

cert-manager.io/renew-before

this annotation allows you to configure spec.renewBefore field for the Certificate to be generated.

cert-manager.io/renew-before-percentage

this annotation allows you to configure spec.renewBeforePercentage field for the Certificate to be generated.

cert-manager.io/revision-history-limit

this annotation allows you to configure spec.revisionHistoryLimit field to limit the number of CertificateRequests to be kept for a Certificate. Minimum value is 1. If unset all CertificateRequests will be kept.

cert-manager.io/secret-template

this annotation allows you to set the secretTemplate field in the generated Certificate.

cert-manager.io/subject-countries

this annotation allows you to configure spec.subject.countries field for the Certificate to be generated. Supports comma-separated values e.g. "Country 1,Country 2"

cert-manager.io/subject-localities

this annotation allows you to configure spec.subject.localities field for the Certificate to be generated. Supports comma-separated values e.g. "City 1,City 2"

cert-manager.io/subject-organizationalunits

this annotation allows you to configure spec.subject.organizationalUnits field for the Certificate to be generated. Supports comma-separated values e.g. "IT Services,Cloud Services"

cert-manager.io/subject-organizations

this annotation allows you to configure spec.subject.organizations field for the Certificate to be generated. Supports comma-separated values e.g. "Company 1,Company 2"

cert-manager.io/subject-postalcodes

this annotation allows you to configure spec.subject.postalCodes field for the Certificate to be generated. Supports comma-separated values e.g. "123ABC,456DEF"

cert-manager.io/subject-provinces

this annotation allows you to configure spec.subject.provinces field for the Certificate to be generated. Supports comma-separated values e.g. "Province 1,Province 2"

cert-manager.io/subject-serialnumber

this annotation allows you to configure spec.subject.serialNumber field for the Certificate to be generated. Supports comma-separated values e.g. "10978342379280287615,1111144445555522228888"

cert-manager.io/subject-streetaddresses

this annotation allows you to configure spec.subject.streetAddresses field for the Certificate to be generated. Supports comma-separated values e.g. "123 Example St,456 Other Blvd"

cert-manager.io/uri-sans

this annotation allows you to configure spec.uris field for the Certificate to be generated. Supports comma-separated values e.g. "spiffe://cluster.local/ns/sandbox/sa/example"

cert-manager.io/usages

this annotation allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. "key agreement,digital signature, server auth".

experimental.cert-manager.io/request-duration

CertificateRequest

annotation used to request a particular duration.

experimental.cert-manager.io/request-is-ca

CertificateRequest

annotation used to request a certificate be marked as CA.

experimental.cert-manager.io/private-key-secret-name

CertificateRequest

annotation key used by the 'self signing' issuer type to self-sign certificates to reference a Secret resource containing the private key used to sign the request.

kubernetes.io/ingress.class

Ingress

deprecated. You should use spec.ingressClassName instead.

kubernetes.io/tls-acme

Ingress

this annotation requires additional configuration of the ingress-shim. Namely, a default Issuer must be specified as arguments to the ingress-shim container.

venafi.cert-manager.io/custom-fields

pass JSON encoded custom fields to the Venafi issuer.

venafi.cert-manager.io/pickup-id

CertificateRequest

records the Venafi Pickup ID of a certificate signing request.