History

Matt Moyer 1236a93d1e Allow non-static AWS credentials for Route 53. This change maintains backwards compatibility, but makes the `accessKeyID` and `secretAccessKeySecretRef` fields of the `route53` DNS provider optional. If not provided, AWS credentials will be loaded from `AWS_*` environment variables or the EC2 metadata service. This should also work for things that impersonate the EC2 metadata service, such as [kube2iam](https://github.com/jtblin/kube2iam) and [kail](https://github.com/uswitch/kiam). Signed-off-by: Matt Moyer <moyer@heptio.com>	2018-03-23 14:30:42 -07:00
..
README.md	Add missing apiVersion to Issuer sample docs	2018-03-08 13:17:36 +00:00
spec.md	Allow non-static AWS credentials for Route 53.	2018-03-23 14:30:42 -07:00

Matt Moyer 1236a93d1e Allow non-static AWS credentials for Route 53.

This change maintains backwards compatibility, but makes the `accessKeyID` and `secretAccessKeySecretRef` fields of the `route53` DNS provider optional.
If not provided, AWS credentials will be loaded from `AWS_*` environment variables or the EC2 metadata service.
This should also work for things that impersonate the EC2 metadata service, such as [kube2iam](https://github.com/jtblin/kube2iam) and [kail](https://github.com/uswitch/kiam).

Signed-off-by: Matt Moyer <moyer@heptio.com>

2018-03-23 14:30:42 -07:00

README.md

Add missing apiVersion to Issuer sample docs

2018-03-08 13:17:36 +00:00

spec.md

Allow non-static AWS credentials for Route 53.

2018-03-23 14:30:42 -07:00

README.md

Issuers

cert-manager has the concept of 'Issuers' that define a source of X.509 certificates, including any configuration required for that source.

An example of an Issuer is ACME. A simple ACME issuer could be defined as:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: edge-services
spec:
  acme:
    # The ACME server URL
    server: https://acme-v01.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: user@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsncrypt-prod
    # Enable HTTP01 validations
    http01: {}

This is the simplest of ACME issuers - it specifies no DNS-01 challenge providers. HTTP-01 validation can be performed through using Ingress resources by enabling the HTTP-01 challenge mechanism (with the http01: {} field).

Namespacing

An Issuer is a namespaced resource, and it is not possible to issue certificates from an Issuer in a different namespace. This means you will need to create an Issuer in each namespace you wish to obtain Certificates in.

If you want to create a single issuer than can be consumed in multiple namespaces, you should consider creating a ClusterIssuer resource. This is almost identical to the Issuer resource, however is non-namespaced and so can be great at the cluster level.

Supported issuer types

cert-manager has been designed to support pluggable Issuer backends. Below is a list of the currently supported issuers and a link to the spec for their definition.

ACME
CA

This list will be kept up to date as new issuers are added.