Keptn Certificate Manager

Learn how the cert-manager works

Keptn Cert Manager

The Lifecycle Toolkit includes a Mutating Webhook that requires TLS certificates to be mounted as a volume in its pod. In version 0.6.0 and later, the certificate creation is handled automatically by the klt-cert-manager.

How it works:

  • The certificate is created as a secret in the keptn-lifecycle-toolkit-system namespace with a renewal threshold of 12 hours.
  • If the certificate expires, the klt-cert-manager renews it.
  • The Lifecycle Toolkit operator waits for a valid certificate to be ready.
  • When the certificate is ready, it is mounted on an empty dir volume in the operator.

klt-cert-manager is a customized certificate manager that is installed with the Lifecycle Toolkit by default. It is included to simplify installation for new users and because it is much smaller than most standard certificate managers. However, KLT is compatible with most certificate managers and can be configured to use another certificate manager if you prefer. See Use your own cert-manager for instructions.

Invalid certificate errors

When a certificate is left over from an older version, the webhook or the operator may generate errors because of an invalid certificate. To solve this, delete the certificate and restart the operator.

The KLT cert-manager certificate is stored as a secret in the klt namespace. To retrieve it:

kubectl get secrets -n keptn-lifecycle-toolkit-system

This returns something like:

NAME                        TYPE                 DATA   AGE
klt-certs                   Opaque               5      4d23h

Specify the NAME of the KLT certificate (klt-certs in this case) to delete the KLT certificate:

kubectl delete secret klt-certs -n keptn-lifecycle-toolkit-system