Cert-Manager Extensions
Google CAS Issuer and Trust Manager for certificate management
The Infra Management Cluster uses cert-manager extensions for certificate management: Google CAS Issuer for issuing certificates from Google Certificate Authority Service, and Trust Manager for distributing CA trust bundles.
ArgoCD Resources
| Application | Namespace | Source Type | Chart |
|---|---|---|---|
infra-platform-google-cas-issuer | cert-manager | Helm | cert-manager-google-cas-issuer |
cert-manager-trust-manager | cert-manager | Helm | trust-manager |
File Paths
| Application | File |
|---|---|
infra-platform-google-cas-issuer | apps/google-cas-issuer.yaml |
cert-manager-trust-manager | apps/cert-manager-trust-manager.yaml |
Google CAS Issuer
Issues certificates from Google Certificate Authority Service.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: infra-platform-google-cas-issuer
namespace: argocd
spec:
project: infra-services
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
syncOptions:
- ServerSideApply=true
source:
chart: cert-manager-google-cas-issuer
repoURL: https://charts.jetstack.io
targetRevision: v0.10.0
helm:
valuesObject:
crds:
enabled: true
keep: true
replicaCount: 1
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: cert-manager-cas-issuer@tb-infra-mgmt-gke-prod-uk-40fd.iam.gserviceaccount.com
resources:
requests:
cpu: 100m
memory: 128Mi
Key Configuration
| Setting | Value | Purpose |
|---|---|---|
crds.enabled | true | Install CRDs |
crds.keep | true | Preserve CRDs on uninstall |
| Workload Identity | cert-manager-cas-issuer@... | GCP service account for CAS access |
Trust Manager
Distributes CA trust bundles across the cluster.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager-trust-manager
namespace: argocd
spec:
project: infra-services
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
prune: true
source:
chart: trust-manager
repoURL: https://charts.jetstack.io
targetRevision: v0.18.0
helm:
valuesObject:
crds:
enabled: true
keep: true
replicaCount: 1
defaultPackage:
enabled: true
secretTargets:
enabled: true
authorizedSecretsAll: false
authorizedSecrets:
- tb-infra-root-ca-trust-secret
- tb-infra-internal-root-ca-trust-secret
resources:
requests:
cpu: 100m
memory: 128Mi
Key Configuration
| Setting | Value | Purpose |
|---|---|---|
defaultPackage.enabled | true | Include default CA bundle |
secretTargets.enabled | true | Allow writing to Secrets |
authorizedSecrets | List | Secrets trust-manager can write to |
Authorized Secrets
Trust Manager is authorized to write to these Secrets:
tb-infra-root-ca-trust-secrettb-infra-internal-root-ca-trust-secret
How to Update
Upgrading Charts
- Update
targetRevisionin the Application YAML - Review the chart’s changelog for breaking changes
- Commit and push to
main
Adding Authorized Secrets
To allow Trust Manager to write to additional Secrets:
- Edit
apps/cert-manager-trust-manager.yaml - Add the Secret name to
secretTargets.authorizedSecrets - Commit and push to
main
Related Resources
| Resource | Purpose |
|---|---|
GoogleCASIssuer CRD | Define CAS-backed certificate issuers |
Bundle CRD | Define trust bundles for distribution |
| cert-manager | Base certificate management (deployed separately) |
Workload Identity
The Google CAS Issuer uses Workload Identity to authenticate to GCP:
- Kubernetes SA:
cert-manager-google-cas-issuer(incert-managernamespace) - GCP SA:
cert-manager-cas-issuer@tb-infra-mgmt-gke-prod-uk-40fd.iam.gserviceaccount.com
The GCP service account must have the roles/privateca.certificateRequester role on the CA pool.