Skip to content

[TASK] Create Helm Sub chart for Certificates #321

Open
Task
#325
Open
[TASK] Create Helm Sub chart for Certificates#321
Task
#325
Assignees
maneeshaxyz
Labels
ImprovementThe functionality is working but can be improved.enhancementNew feature or requestsecurityTasks related to the security of the system.
@maneeshaxyz

Description

@maneeshaxyz
maneeshaxyz
opened on Apr 2, 2026

What needs to be done?

📌 Overview

Develop a Helm subchart for deploying cert-manager and managing TLS certificates from Let's Encrypt. The chart should support automatic certificate provisioning, renewal, and distribution to downstream services within the cluster.

🎯 Objectives

  • Package cert-manager configuration as a reusable Helm subchart.
  • Automate TLS certificate issuance and renewal via Let's Encrypt.
  • Ensure certificates are available to other services in the cluster.
  • Provide flexible configuration via values.yaml.

Certificate Lifecycle Management

  • Certificates are automatically renewed before expiry (configurable renewBefore).
  • Support both wildcard and per-subdomain certificates.
  • Ensure cert-manager watches and reconciles certificate resources continuously.

Helm Helpers

  • Implement _helpers.tpl for:

    • Naming conventions
    • Labels
    • Selector labels
    • Issuer reference helpers

Health Checks

  • Add a Helm test hook:

    • Verify that issued Certificate resources reach Ready=True status
    • Validate that the target TLS Secret exists and contains a valid certificate

Testing

  • Add Helm test hook:

    • Deploy a test Pod that validates TLS connectivity using the issued certificate
    • Check certificate expiry and subject names

Documentation

  • Create README.md including:

    • Installation instructions and prerequisites
    • Required values
    • DNS record setup for HTTP-01 and DNS-01 challenges
    • How to reference issued secrets in downstream services
    • Staging vs. production issuer guidance

📦 Deliverables

  • Complete tls-certificates Helm subchart
  • Configurable values.yaml
  • All required Kubernetes templates
  • Documentation

✅ Acceptance Criteria

  • TLS certificates are issued by Let's Encrypt and stored as Kubernetes Secrets.
  • Certificates renew automatically before expiry.
  • Downstream services can reference the generated TLS Secrets.
  • Both HTTP-01 and DNS-01 challenge solvers are supported via configuration.
  • Chart is reusable and configurable across environments.

🔗 Notes

  • Ensure compatibility with the umbrella chart structure.
  • Follow Helm best practices for templating and naming.
  • cert-manager must be installed in the cluster (as a dependency or prerequisite).
  • Keep the chart modular to support additional issuers (e.g., ZeroSSL) in the future.

Metadata

Metadata

Assignees

Labels

ImprovementThe functionality is working but can be improved.enhancementNew feature or requestsecurityTasks related to the security of the system.

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions