Keptn Certificate Manager
Keptn Cert Manager
Keptn includes a Mutating Webhook that requires TLS certificates to be mounted as a volume in its pod. In version 0.6.0 and later, the certificate creation is handled automatically by the klt-cert-manager.
How it works:
- The certificate is created as a secret
keptn-lifecycle-toolkit-systemnamespace with a renewal threshold of 12 hours.
- If the certificate expires, the klt-cert-manager renews it.
- The Keptn
lifecycle-operatorwaits for a valid certificate to be ready.
- When the certificate is ready, it is mounted on an empty dir volume in the operator.
klt-cert-manager is a customized certificate manager
that is installed with Keptn by default.
It is included to simplify installation for new users
and because it is much smaller than most standard certificate managers.
However, Keptn is compatible with most certificate managers
and can be configured to use another certificate manager if you prefer.
Use Keptn with cert-manager.io
Invalid certificate errors
When a certificate is left over from an older version, the webhook or the operator may generate errors because of an invalid certificate. To solve this, delete the certificate and restart the operator.
The Keptn cert-manager certificate is stored as a secret in the
To retrieve it:
kubectl get secrets -n keptn-lifecycle-toolkit-system
This returns something like:
NAME TYPE DATA AGE klt-certs Opaque 5 4d23h
NAME of the Keptn certificate (
klt-certs in this case)
to delete the Keptn certificate:
kubectl delete secret klt-certs -n keptn-lifecycle-toolkit-system