Kubernetes cert-manager

this document provides information on integrating kubernetes cert manager with {{ch}} through cryptohub's api and futurex's issuer controller about kubernetes according to https //kubernetes io/docs/concepts/overview/ "kubernetes is a portable, extensible, open source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation it has a large, rapidly growing ecosystem kubernetes services, support, and tools are widely available " for a detailed review of the kubernetes (k8s) components and structure, refer to the offical https //kubernetes io/docs/home/ what is {{ch}} ? futurex's {{ch}} is the most flexible and versatile cryptographic platform in the industry, combining every cryptographic function within futurex’s extensive solution suite it enables organizations to deploy, manage, and monitor virtual cryptographic modules — including hsm emulators, certificate authorities (cas), key generation services, and pki workflows — all through a unified web based dashboard cryptohub can be operated via its intuitive gui to issue and revoke x 509 certificates manage root and intermediate cas enforce key usage policies (e g , sign/verify, key encipherment) integrate with external systems (e g , kubernetes, pki apis, ci/cd pipelines) what is kubernetes cert manager? cert manager is a popular native kubernetes tool designed to automate the management and issuance of tls (transport layer security) certificates within the cluster it ensures that certificates are valid and up to date, and attempts to renew them at a configured time before expiration in a kubernetes environment, applications often need tls certificates to secure communication, such as between microservices or for inbound/outbound traffic manually managing these certificates across many services can be complex and error prone cert manager simplifies this by issuing certificates it can acquire certificates from various sources, known as issuers or clusterissuers (like futurex {{ch}} in this guide), including self signed cas, and external cas managing the lifecycle it automatically handles the certificate signing request (csr) process and stores the resulting certificate and private key in a standard kubernetes object called a secret a kubernetes secret is an object that stores sensitive data such as password, oauth tokens, or apis keys automating renewal it monitors issued certificates and triggers a renewal request automatically before they expire, ensuring uninterrupted secure service cert manager provides the native kubernetes api and control loop that allows users to request certificates using standard kubernetes manifests (yaml), abstracting away the specifics of the actual ca that performs the signing how {{ch}} works with kubernetes in this deployment, kubernetes serves as the orchestration layer for critical security and certificate management services the integration follows this workflow an application team creates a certificate resource in kubernetes (yaml) requesting a tls certificate (e g , example com ) cert manager detects the request and creates a certificaterequest resource futurex's issuer controller receives the request and sends it to {{ch}} through its rest api {{ch}} registers the request as pending approval an authorized approver logs into {{ch}} , reviews request details (issuer, subject, validity, purpose), and manually approves or denies the request if approved, {{ch}} signs the certificate and returns it to the controller the controller then stores the signed certificate in a kubernetes secret the application pod mounts the secret and uses the certificate for tls why this design matters this architecture emphasizes security and control by separating automation (via kubernetes) from authorization (via cryptohub’s gui), every certificate undergoes human review before issuance — satisfying enterprise security policies, audit requirements, and zero trust principles