ReddRadar
Agent skill
cert-manager
Kubernetes certificate management debugging and configuration. This skill should be used when troubleshooting cert-manager issues, configuring private CA issuers (SelfSigned, CA, Vault), integrating with Traefik IngressRoute TLS, diagnosing Certificate/CertificateRequest/Issuer problems, or debugging webhook connectivity issues.
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/cert-manager
SKILL.md
cert-manager
Kubernetes-native TLS certificate lifecycle management. Automates issuance, renewal, and rotation from private CAs.
Debugging Workflow
When certificates fail, debug the resource chain in order:
Certificate → CertificateRequest → Issuer/ClusterIssuer
First commands to run:
kubectl get certificate,certificaterequest,issuer,clusterissuer -A
kubectl describe certificate <name> -n <namespace>
For detailed debugging steps, see references/troubleshooting-workflow.md.
Private CA Configuration
This skill focuses on self-hosted issuers (no Let's Encrypt):
| Issuer Type | Use Case |
|---|---|
| SelfSigned | Bootstrap CA hierarchy, testing |
| CA | Sign with existing CA credentials in Secret |
| Vault | Sign via HashiCorp Vault PKI engine |
Quick Bootstrap (SelfSigned → CA)
# Creates self-signed root, then CA issuer for leaf certs
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: root-ca
namespace: cert-manager
spec:
isCA: true
commonName: root-ca
secretName: root-ca-secret
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ca-issuer
spec:
ca:
secretName: root-ca-secret
For complete issuer configuration, see references/private-ca-issuers.md.
Traefik Integration
Create Certificate resource, reference secret in IngressRoute:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: myapp-tls
spec:
secretName: myapp-tls-secret
dnsNames: ["myapp.example.com"]
issuerRef:
name: ca-issuer
kind: ClusterIssuer
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
spec:
entryPoints: [websecure]
routes:
- match: Host(`myapp.example.com`)
kind: Rule
services:
- name: myapp-service
port: 80
tls:
secretName: myapp-tls-secret
For wildcard certs and Ingress annotations, see references/traefik-integration.md.
Common Issues
| Symptom | Likely Cause | Reference |
|---|---|---|
| Certificate stuck Pending | Issuer not ready, CertificateRequest failed | troubleshooting-workflow.md |
| Webhook connection refused | Pod not running, network policy | webhook-issues.md |
| x509 unknown authority | CA bundle not injected | webhook-issues.md |
| Secret not created | Issuer configuration error | troubleshooting-workflow.md |
| Vault permission denied | Vault policy/role misconfigured | private-ca-issuers.md |
References
references/troubleshooting-workflow.md- Step-by-step debuggingreferences/private-ca-issuers.md- SelfSigned, CA, Vault configurationreferences/traefik-integration.md- IngressRoute TLS setupreferences/webhook-issues.md- Webhook connectivity problems
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
Didn't find tool you were looking for?