cert-manager Values Source Stabilization
This page is a troubleshooting document for cert-manager source-layout confusion after the June 20, 2026 stabilization change. The broader deployment contract lives in the infrastructure networking cert-manager reference page.
Symptom
cert-manager changes are hard to reason about because the application appears to need both chart values and a separate manifest-only Git source just to create cloudflare-api-token-vss.
In the pre-fix layout, platform/cert-manager/argocd.yaml carried:
- the Jetstack chart source
- a repo source for
charts/commonand$values/platform/cert-manager/common-values.yaml - another repo source for
platform/cert-manager/manifests
That extra manifest source was the unstable part.
Likely Causes
- The Cloudflare token
VaultStaticSecretlived inplatform/cert-manager/manifests/vault-static-secret.yamleven thoughcharts/commonalready had avault-static-secrets.yamlrenderer. platform/cert-manager/common-values.yamlstill contains aclusterIssuersblock that looks authoritative, butcharts/common/templates/does not renderClusterIssuerresources at all.
Fix
f9280254 moved the Cloudflare token secret into platform/cert-manager/common-values.yaml under common.vaultStaticSecrets and removed the path: platform/cert-manager/manifests source from platform/cert-manager/argocd.yaml.
The remaining layout is intentional:
- the Jetstack chart source installs cert-manager itself
- the repo-backed
valuessource still providescharts/commonand$values/platform/cert-manager/common-values.yaml charts/common/templates/vault-static-secrets.yamlrenderscommon.vaultStaticSecrets
The fix removed the extra manifest source, not the repo-backed values source.
Diagnostic Path
- Inspect
platform/cert-manager/argocd.yamland confirm there is no source withpath: platform/cert-manager/manifests. - Inspect
platform/cert-manager/common-values.yamland confirmcommon.vaultStaticSecretsdefinescloudflare-api-token-vss. - Inspect
charts/common/templates/vault-static-secrets.yamland confirm it renders.Values.common.vaultStaticSecrets. - For issuer behavior, inspect
applications/cluster-bootstrap/manifests/cluster-issuer.yaml, not the staleclusterIssuersblock inplatform/cert-manager/common-values.yaml.
Prevention
- When a platform app already uses
charts/common, keep namespacedVaultStaticSecretresources in that values file unless the common chart truly cannot render them. - Do not treat
common-values.yaml.clusterIssuersas the issuer source of truth. The activeClusterIssuerobjects come fromapplications/cluster-bootstrap/manifests/cluster-issuer.yaml.
Verification
cd lumie-infra
rg -n "platform/cert-manager/manifests|path: charts/common|ref: values" \
platform/cert-manager/argocd.yaml
rg -n "cloudflare-api-token-vss|vaultStaticSecrets|clusterIssuers" \
platform/cert-manager/common-values.yaml \
charts/common/templates/vault-static-secrets.yaml \
applications/cluster-bootstrap/manifests/cluster-issuer.yaml
Success means argocd.yaml has no platform/cert-manager/manifests source, common-values.yaml defines the Cloudflare token VaultStaticSecret, and issuer ownership is still visible only in the cluster-bootstrap manifest.
Operational Detail
This was a GitOps ownership problem, not a cert-manager controller failure. The confusing part was that several files looked capable of declaring certificate-related resources, but only some of them were actually rendered.
| Resource type | Active owner after stabilization | Notes |
|---|---|---|
| cert-manager chart | Jetstack chart source in platform/cert-manager/argocd.yaml. | Installs controller components. |
| Cloudflare token secret sync | common.vaultStaticSecrets rendered by charts/common. | Replaces the extra manifest source. |
| ClusterIssuer | applications/cluster-bootstrap/manifests/cluster-issuer.yaml. | Not rendered from common-values.yaml.clusterIssuers. |
During triage, first identify which renderer owns the object. Do not assume a values block is active just because it is present.
Recovery Playbook
- Check whether Argo CD is applying an unexpected extra source for cert-manager.
- If a
VaultStaticSecretis missing, verify the common chart values before adding a new manifest directory. - If a
ClusterIssueris missing or stale, inspect cluster-bootstrap manifests instead of editingclusterIssuersunder cert-manager values. - Remove dead or misleading values only after confirming they are not consumed by a template.
- Sync cert-manager and cluster-bootstrap separately so controller installation and issuer declaration failures are not conflated.
Verification Evidence
Record:
- Argo CD source list for cert-manager has no
platform/cert-manager/manifestspath, - rendered manifests include
cloudflare-api-token-vssfrom the common chart, - live
VaultStaticSecretexists in the namespace expected by cert-manager, - live
ClusterIssuerobjects match cluster-bootstrap, - no runbook instructs operators to edit the stale
clusterIssuersblock.
Anti-Patterns
- Adding another manifest source when
charts/commonalready renders the resource type. - Moving issuer ownership into cert-manager values without adding a renderer.
- Treating Argo CD multi-source layout as harmless when two sources appear to own the same object.
- Debugging DNS-01 failures before verifying the Cloudflare token secret is rendered and synced.