Skip to content

Keptn +

Keptn includes a light-weight, customized cert-manager that is used to register Webhooks to the KubeAPI. Bundling the cert-manager simplifies the installation for new users and provides the functionality Keptn needs without the overhead of other cert-managers. For a description of the architecture, see Keptn Certificate Manager.

Keptn also works well with If you are already using, you can continue to use it for other components and use the Keptn cert-manager just for Keptn activities or you can disable the Keptn cert-manager and configure Keptn to use

If you want Keptn to use, you must configure it before you install Keptn. The steps are:

  • Install if it is not already installed.
  • Add the Certificate and Issuer CRs for
  • (optional) Install Keptn without the built-in keptn-cert-manager and with injected CA annotations via Helm

Add the CR(s) for

These are the CRs for to be applied to your cluster:

kind: Certificate
  name: keptn-certs
  namespace: <keptn-namespace>
  - lifecycle-webhook-service.<keptn-namespace>.svc
  - lifecycle-webhook-service.<keptn-namespace>.svc.cluster.local
  - metrics-webhook-service.<keptn-namespace>.svc
  - metrics-webhook-service.<keptn-namespace>.svc.cluster.local
    kind: Issuer
    name: keptn-selfsigned-issuer
  secretName: keptn-certs
kind: Issuer
  name: keptn-selfsigned-issuer
  namespace: <keptn-namespace>
  selfSigned: {}

Note the following about these fields:

  • The apiVersion field refers to the API for the cert-manager.
  • The value of the .spec.secretName field as well as the of the Certificate CR must be keptn-certs.
  • Substitute the namespace placeholders with your namespace, where Keptn is installed.

Injecting CA Annotations supports specific annotations for injectable resources depending on the injection source. To configure these annotations, modify the global.caInjectionAnnotation Helm value. See the CA Injector documentation for more details.

Here is an example values.yaml file demonstrating the configuration of CA injection by using the annotation:

  certManagerEnabled: false # disable Keptn Cert Manager
  caInjectionAnnotations: keptn-system/keptn-certs

Refer to the Customizing the configuration of components for more details.