Chart version: 0.8.0
Api version: v1
App version: v0.7.0
A Helm chart for cert-manager
Chart Type
Set me up:
helm repo add center
Install Chart:
helm install cert-manager center/cloudposse/cert-manager
Versions (0)


This chart was forked from for the sole purpose of adding the Custom Resource Definitions from into it. All we did was copy that file into the templates directory, change its name, and add the "": crd-install annotation to each CRD. Oh, and we deleted the OWNERS and requirements.lock files and updated this Readme. Reference: (original Readme)[}]


cert-manager is a Kubernetes addon to automate the management and issuance of TLS certificates from various issuing sources.

It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.


  • Kubernetes 1.7+

Installing the Chart

Full installation instructions, including details on how to configure extra functionality in cert-manager can be found in the getting started docs.

To install the chart with the release name my-release:

## The main point of the Cloudposse version of this chart is to remove this requirement for a manual step:
## delete: ## IMPORTANT: you MUST install the cert-manager CRDs **before** installing the
## delete: ## cert-manager Helm chart
## delete: $ kubectl apply \
## delete:     -f
## You no longer need to run the command above to install the CRDs
## The rest of the steps below are copied vebatim from the original Readme at

## IMPORTANT: if the cert-manager namespace **already exists**, you MUST ensure
## it has an additional label on it in order for the deployment to succeed
$ kubectl label namespace cert-manager"true"

## Add the Jetstack Helm repository
$ helm repo add jetstack

## Install the cert-manager helm chart
$ helm install --name my-release --namespace cert-manager jetstack/cert-manager

In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a ‘letsencrypt-staging’ issuer).

More information on the different types of issuers and how to configure them can be found in our documentation:

For information on how to configure cert-manager to automatically provision Certificates for Ingress resources, take a look at the ingress-shim documentation:

Tip: List all releases using helm list

Upgrading the Chart

Special considerations may be required when upgrading the Helm chart, and these are documented in our full upgrading guide. Please check here before perform upgrades!

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.


The following table lists the configurable parameters of the cert-manager chart and their default values.

Parameter Description Default
global.imagePullSecrets Reference to one or more secrets to be used when pulling images []
global.rbac.create If true, create and use RBAC resources (includes sub-charts) true
image.repository Image repository
image.tag Image tag v0.7.0
image.pullPolicy Image pull policy IfNotPresent
replicaCount Number of cert-manager replicas 1
clusterResourceNamespace Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources Same namespace as cert-manager pod
leaderElection.Namespace Override the namespace used to store the ConfigMap for leader election Same namespace as cert-manager pod
extraArgs Optional flags for cert-manager []
extraEnv Optional environment variables for cert-manager []
serviceAccount.create If true, create a new service account true Service account to be used. If not set and serviceAccount.create is true, a name is generated using the fullname template
resources CPU/memory resource requests/limits
securityContext.enabled Enable security context false
securityContext.fsGroup Group ID for the container 1001
securityContext.runAsUser User ID for the container 1001
nodeSelector Node labels for pod assignment {}
affinity Node affinity for pod assignment {}
tolerations Node tolerations for pod assignment []
ingressShim.defaultIssuerName Optional default issuer to use for ingress resources
ingressShim.defaultIssuerKind Optional default issuer kind to use for ingress resources
ingressShim.defaultACMEChallengeType Optional default challenge type to use for ingresses using ACME issuers
ingressShim.defaultACMEDNS01ChallengeProvider Optional default DNS01 challenge provider to use for ingresses using ACME issuers with DNS01
podAnnotations Annotations to add to the cert-manager pod {}
podDnsPolicy Optional cert-manager pod DNS policy
podDnsConfig Optional cert-manager pod DNS configurations
podLabels Labels to add to the cert-manager pod {}
priorityClassName Priority class name for cert-manager and webhook pods ""
http_proxy Value of the HTTP_PROXY environment variable in the cert-manager pod
https_proxy Value of the HTTPS_PROXY environment variable in the cert-manager pod
no_proxy Value of the NO_PROXY environment variable in the cert-manager pod
webhook.enabled Toggles whether the validating webhook component should be installed true
webhook.replicaCount Number of cert-manager webhook replicas 1
webhook.podAnnotations Annotations to add to the webhook pods {}
webhook.extraArgs Optional flags for cert-manager webhook component []
webhook.resources CPU/memory resource requests/limits for the webhook pods
webhook.image.repository Webhook image repository
webhook.image.tag Webhook image tag v0.7.0
webhook.image.pullPolicy Webhook image pull policy IfNotPresent
webhook.injectAPIServerCA if true, the apiserver’s CABundle will be automatically injected into the ValidatingWebhookConfiguration resource true
cainjector.enabled Toggles whether the cainjector component should be installed (required for the webhook component to work) true
cainjector.replicaCount Number of cert-manager cainjector replicas 1
cainjector.podAnnotations Annotations to add to the cainjector pods {}
cainjector.extraArgs Optional flags for cert-manager cainjector component []
cainjector.resources CPU/memory resource requests/limits for the cainjector pods
cainjector.image.repository cainjector image repository
cainjector.image.tag cainjector image tag v0.7.0
cainjector.image.pullPolicy cainjector image pull policy IfNotPresent

Specify each parameter using the --set key=value[,key=value] argument to helm install.

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

$ helm install --name my-release -f values.yaml .

Tip: You can use the default values.yaml


This chart is maintained at