certforge-issuer is the cert-manager external issuer controller that bridges Kubernetes CertificateRequest objects to the CertForge API. It runs as a Deployment in your cluster and watches for CertificateRequest resources directed at CertForgeIssuer or CertForgeClusterIssuer objects.
For installation and quick-start usage, see the cert-manager Integration guide.
Version compatibility
Always use the latest patch release for your minor version. Run
helm search repo certforge-issuer --versions to list available releases.
Helm chart values
Install or upgrade withhelm upgrade --install:
Full values reference
CRD reference
CertForgeIssuer
Namespaced resource. Issues certificates only forCertificateRequest objects in the same namespace.
Check issuer status:
CertForgeClusterIssuer
Cluster-scoped resource. Issues certificates forCertificateRequest objects in any namespace. The credentials Secret must be in the certforge-system namespace.
Credentials secret
The controller reads the API token from a Kubernetes Secret. Create or rotate it:CertForgeIssuer (namespaced), create the secret in the same namespace as the issuer:
RBAC
The controller’s service account is granted the following permissions by the Helm chart:
No cluster-wide Secret read access is granted; the controller only reads Secrets in namespaces it needs to serve.
Metrics
Whenmetrics.enabled=true, the controller exposes Prometheus metrics on port 8080 at /metrics.
Key metrics:
Enable the Prometheus Operator
ServiceMonitor:
Controller logs
The controller writes structured JSON logs. SetlogLevel: debug during troubleshooting:
Upgrading
High availability
Run multiple replicas with leader election enabled:Uninstall
CertificateRequest objects or the Kubernetes Secrets containing issued certificates — those remain intact.