External
cert-manager supports external Issuer
types. These external Issuer
types are
issuers that are not support by cert-manager by default, or are 'out of tree',
however are treated the exact same as any other internal Issuer
type. External
issuer types are typically installed by deploying another pod into your cluster
that will watch CertificateRequest
resources and honor them based on
configured Issuer
resources. These issuer types exist outside of the
cert-manager.io
group.
As of v0.11
, no changes need to be made to cert-manager to support external
issuers.
The recommended installation process and configuration options for these external issuer types can be found in the documentation of that external issuer project. A list of known external issuer projects that are maintained by their authors are as follows:
Issuers that Honour Approval
-
aws-pca-issuer: Used to request certificates from [AWS Private Certificate Authority] (https://aws.amazon.com/certificate-manager/private-certificate-authority/) for cloud native/hybrid environments.
-
google-cas-issuer: Used to request certificates signed by private CAs managed by the Google Cloud Certificate Authority Service.
-
origin-ca-issuer: Used to request certificates signed by Cloudflare Origin CA to enable TLS between Cloudflare edge and your Kubernetes workloads.
-
step-issuer: Used to request certificates from the Smallstep Certificate Authority server.
Issuers that do NOT Honour Approval
A list of known external issuer projects that are maintained by their authors are as follows. These issuers do not honour approval.
-
awskms-issuer: Used to request certificates signed using an AWS KMS asymmetric key.
-
freeipa-issuer: Used to request certificates signed by FreeIPA.
-
ADCS Issuer: Used to request certificates signed by Microsoft Active Directory Certificate Service.
To create your own external issuer type, please follow the guidance in the development documentation.