ClusterIssuers, are Kubernetes resources that represent
certificate authorities (CAs) that are able to generate signed certificates by honoring
certificate signing requests. All cert-manager certificates require a referenced
issuer that is in a ready condition to attempt to honor the request.
An example of an
Issuer type is
CA. A simple
Issuer is as follows:
apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: ca-issuer namespace: mesh-system spec: ca: secretName: ca-key-pair
This is a simple
Issuer that will sign certificates based on a private key.
The certificate stored in the secret
ca-key-pair can then be used to trust
newly signed certificates by this
Issuer in a Public Key Infrastructure (PKI)
Issuer is a namespaced resource, and it is not possible to issue
certificates from an
Issuer in a different namespace. This means you will need
to create an
Issuer in each namespace you wish to obtain
If you want to create a single
Issuer that can be consumed in multiple
namespaces, you should consider creating a
ClusterIssuer resource. This is
almost identical to the
Issuer resource, however is non-namespaced so it
can be used to issue
Certificates across all namespaces.
cert-manager supports a number of ‘in-tree’, as well as ‘out-of-tree’
types. An exhaustive list of these
Issuer types can be found in the
cert-manager configuration documentation.