This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. It functions as a native extension to the cluster API, using custom resource definitions and reconciliation loops to maintain the desired state of certificates and trust bundles across distributed services. By integrating directly with the cluster's admission control and secret storage systems, it ensures that cryptographic identities are consistently provisioned and available for application workloads.
The project distinguishes itself through its extensive support for automated domain validation and multi-provider integration. It orchestrates complex challenge processes—including those for private or split-horizon networks—to prove domain ownership without manual intervention. Beyond standard certificate management, it provides granular policy enforcement, allowing administrators to restrict issuance permissions, delegate certificate requests to specific service accounts, and enforce security requirements through custom metadata and issuer configurations.
The platform covers a broad capability surface for securing network traffic and service communication. It supports diverse issuance workflows, ranging from public certificate authorities and ACME-based automation to private internal PKI infrastructures. The system also includes robust observability tools, such as operational metrics and status inspection, alongside administrative features for managing resource configurations, performing API migrations, and scaling controller components for high-availability environments.
Installation and management are facilitated through standard cluster deployment workflows, with comprehensive command-line tools available for troubleshooting, configuration export, and lifecycle verification.
