OpenSkillIndex← back to search
claude-codedevops

Claude-skill-registry cert-manager

Kubernetes certificate management debugging and configuration. This skill should be used when troubleshooting cert-manager issues, configuring private CA issuers (SelfSigned, CA, Vault), integrating with Traefik IngressRoute TLS, diagnosing Certificate/CertificateRequest/Issuer problems, or debugging webhook connectivity issues.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/cert-manager" ~/.claude/skills/majiayu000-claude-skill-registry-cert-manager && rm -rf "$T"
manifest: skills/data/cert-manager/SKILL.md
tags
#kubernetes#tls#cert-manager#debugging#automation
source content

cert-manager

Kubernetes-native TLS certificate lifecycle management. Automates issuance, renewal, and rotation from private CAs.

Debugging Workflow

When certificates fail, debug the resource chain in order:

Certificate → CertificateRequest → Issuer/ClusterIssuer

First commands to run:

kubectl get certificate,certificaterequest,issuer,clusterissuer -A
kubectl describe certificate <name> -n <namespace>

For detailed debugging steps, see 

references/troubleshooting-workflow.md
.

Private CA Configuration

This skill focuses on self-hosted issuers (no Let's Encrypt):

Issuer TypeUse Case
SelfSignedBootstrap CA hierarchy, testing
CASign with existing CA credentials in Secret
VaultSign via HashiCorp Vault PKI engine

Quick Bootstrap (SelfSigned → CA)

# Creates self-signed root, then CA issuer for leaf certs
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: root-ca
  namespace: cert-manager
spec:
  isCA: true
  commonName: root-ca
  secretName: root-ca-secret
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ca-issuer
spec:
  ca:
    secretName: root-ca-secret

For complete issuer configuration, see 

references/private-ca-issuers.md
.

Traefik Integration

Create Certificate resource, reference secret in IngressRoute:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: myapp-tls
spec:
  secretName: myapp-tls-secret
  dnsNames: ["myapp.example.com"]
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
spec:
  entryPoints: [websecure]
  routes:
    - match: Host(`myapp.example.com`)
      kind: Rule
      services:
        - name: myapp-service
          port: 80
  tls:
    secretName: myapp-tls-secret

For wildcard certs and Ingress annotations, see 

references/traefik-integration.md
.

Common Issues

SymptomLikely CauseReference
Certificate stuck PendingIssuer not ready, CertificateRequest failedtroubleshooting-workflow.md
Webhook connection refusedPod not running, network policywebhook-issues.md
x509 unknown authorityCA bundle not injectedwebhook-issues.md
Secret not createdIssuer configuration errortroubleshooting-workflow.md
Vault permission deniedVault policy/role misconfiguredprivate-ca-issuers.md

References

  • references/troubleshooting-workflow.md
    - Step-by-step debugging
  • references/private-ca-issuers.md
    - SelfSigned, CA, Vault configuration
  • references/traefik-integration.md
    - IngressRoute TLS setup
  • references/webhook-issues.md
    - Webhook connectivity problems