Skip to content

ADR-065: Webhook certificate management with cert-manager

Category: architecture Provenance: guided-ai

Decision

Use cert-manager for admission webhook TLS certificate management instead of Kopf's built-in auto-management.

Rationale

Kopf's webhook auto-management depends on insights.ready_resources.wait() which never completes in our operator setup, causing the webhook server to wait indefinitely. cert-manager provides: (1) Reliable certificate rotation without manual intervention, (2) Standard Kubernetes pattern widely used in production, (3) Decoupling from Kopf's internal systems, (4) Better observability through Kubernetes resources, (5) Battle-tested in production environments. Trade-off: Requires cert-manager as an additional cluster dependency and more complex initial setup with additional Kubernetes resources.

Agent Instructions

When configuring admission webhooks, always use cert-manager to generate and rotate TLS certificates. Do not use Kopf's auto-management features. Webhook configurations must be managed manually via Helm templates.