cert-manager
Purpose
cert-manager owns TLS issuance for Lumie's ingress hosts and explicit certificate resources. This page is a reference document for the cert-manager deployment, ACME issuer locations, Cloudflare token syncing, and the boundary between namespaced chart configuration and cluster-scoped issuer manifests.
Source Paths
| Path | Role |
|---|---|
lumie-infra/platform/cert-manager/argocd.yaml | Argo CD application for cert-manager |
lumie-infra/platform/cert-manager/helm-values.yaml | Jetstack chart values for controller, webhook, and cainjector |
lumie-infra/platform/cert-manager/common-values.yaml | Shared-chart values and stale clusterIssuers block |
lumie-infra/platform/cert-manager/manifests/vault-static-secret.yaml | VaultStaticSecret that syncs the Cloudflare API token |
lumie-infra/applications/cluster-bootstrap/manifests/cluster-issuer.yaml | Active ClusterIssuer definitions |
lumie-infra/applications/lumie/frontend/manifests/custom-domain.example.yaml | White-label custom-domain ingress contract |
lumie-infra/security/teleport/manifests/certificate.yaml | Explicit Certificate consumer example |
Public Surface
| Surface | Purpose |
|---|---|
cert-manager controller | Main reconciliation loop for Certificate and issuer resources |
cert-manager-webhook | Admission and validation for cert-manager CRDs |
cert-manager-cainjector | CA bundle injection for webhook-backed resources |
VaultStaticSecret cloudflare-api-token-vss | Syncs the Cloudflare API token into the cert-manager namespace |
ClusterIssuer letsencrypt-prod | Production ACME issuer for standard Lumie domains |
ClusterIssuer letsencrypt-staging | Staging ACME issuer for safe testing |
ClusterIssuer letsencrypt-customdomain | DNS-01-only issuer for operator-onboarded white-label domains |
Runtime Flow
Active Issuers
The authoritative issuer definitions live in applications/cluster-bootstrap/manifests/cluster-issuer.yaml, not in the cert-manager chart values.
The file defines:
letsencrypt-prodwith both HTTP-01 via ingress classtraefikand DNS-01 via Cloudflare forlumie-infra.com;letsencrypt-stagingwith HTTP-01 viatraefik;letsencrypt-customdomainwith DNS-01 only for operator-onboarded tenant domains.
The custom-domain issuer is intentionally opt-in per Certificate or Ingress and does not restrict dnsZones, because operators may onboard domains outside lumie-infra.com.
Cloudflare Secret Sync
The Cloudflare credential does not live in Git. It is synced from Vault:
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: cloudflare-api-token-vss
spec:
path: tokens
destination:
name: cloudflare-api-token
The live cluster inspected on June 14, 2026 had cloudflare-api-token-vss present in the cert-manager namespace and all three ClusterIssuer resources reporting READY=True.
Consumers
Common patterns in the repo are:
Ingressannotations such ascert-manager.io/cluster-issuer: letsencrypt-prodfor standard Lumie hosts.- Per-domain frontend ingresses with
letsencrypt-customdomainfor white-label hosts. - Explicit
Certificateobjects, such as Teleport's wildcard certificate insecurity/teleport/manifests/certificate.yaml.
Because OCI only does TCP passthrough, the issued secrets are ultimately consumed by Traefik for TLS termination on the workers.
Contract Drift
There is an important repo-internal mismatch:
platform/cert-manager/common-values.yamlstill contains aclusterIssuersblock, butcharts/common/templates/has noClusterIssuerrenderer. The active issuer resources come fromapplications/cluster-bootstrap/manifests/cluster-issuer.yaml, not from the shared chart values.
When changing issuer behavior, update the cluster-bootstrap manifest first and treat the clusterIssuers values block as stale until it is removed or wired to a renderer.
Failure Modes
| Failure point | Impact |
|---|---|
| Cloudflare token missing or stale | DNS-01 issuance fails for lumie-infra.com or custom domains |
| Wrong issuer annotation | Ingress never receives the expected TLS secret |
| Custom domain ingress missing explicit host entry | Traefik never loads the cert into its SNI store |
Operators edit the stale clusterIssuers values block only | No live issuer change occurs |
Verification
kubectl get pods -n cert-manager
kubectl get vaultstaticsecret -n cert-manager
kubectl get clusterissuers
rg -n "ClusterIssuer|cert-manager.io/cluster-issuer|cloudflare-api-token-vss" \
lumie-infra/platform/cert-manager \
lumie-infra/applications/cluster-bootstrap \
lumie-infra/applications/lumie \
lumie-infra/security/teleport