Home / Kong Mesh
Edit
Report

Kubernetes cert-manager CA policy

Uses: Kong Mesh
Related Documentation
All Mesh Documentation
Incompatible with
konnect
Tags
#cert-manager #mtls #certificates
Related Resources
HashiCorp Vault CA
ACM Private CA Policy
Certificate Authority rotation
Kong Mesh enterprise features

You can use Kubernetes cert-manager as an mTLS backend for issuing Data Plane certificates in Kong Mesh.

Supported mTLS backends

The default mTLS policy in Kong Mesh supports the following Certificate Authority (CA) backends:

  • builtin: Kong Mesh automatically generates the CA root certificate and key used to generate Data Plane certificates.
  • provided: The CA root certificate and key can be provided by the user.
  • vault: Uses a CA root certificate and key stored in a HashiCorp Vault server.
  • acmpca: Uses Amazon Certificate Manager Private CA to generate Data Plane certificates.
  • certmanager: Uses the Kubernetes cert-manager certificate controller.

How Kubernetes cert-manager works

In certmanager mTLS mode, Kong Mesh communicates with a locally installed cert-manager Issuer or ClusterIssuer, which issues and rotates Data Plane certificates. The CA private key is never exposed to Kong Mesh.

You configure Kong Mesh to reference the Issuer using standard Kubernetes resources. The backend communicates with cert-manager within the Kubernetes cluster.

Kubernetes cert-manager configuration

To configure cert-manager in Kong Mesh:

  • Install cert-manager and configure an Issuer or ClusterIssuer.
  • Ensure the issuer is accessible to the Kong Mesh system namespace (kong-mesh-system by default).
  • Apply a Mesh resource with an mTLS backend referencing the issuer.

Here’s an example of mTLS configuration with certmanager backend which references an Issuer named my-ca-issuer:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: certmanager-1
    backends:
    - name: certmanager-1
      type: certmanager
      dpCert:
        rotation:
          expiration: 24h
      conf:
        issuerRef:
          name: my-ca-issuer
          kind: Issuer
          group: cert-manager.io
        caCert: # can be used to specify the root CA
          inlineString: | # or secret
            -----BEGIN CERTIFICATE-----
            ...

In issuerRef, only name is strictly required. group and kind will default to cert-manager default values. See issuerRef in the cert-manager API for more information.

If caCert is not provided, Kong Mesh assumes that the issuer sets status.CA on CertificateRequests.

If secret is used, it must be a Kong Mesh Secret.

Apply the configuration with kubectl apply -f [..].

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support