3. Configuring your first Issuer or ClusterIssuer

Before you can issue any Certificates, you will need to configure an Issuer or ClusterIssuer resource.

These represent a certificate authority from which signed x509 certificates can be obtained, such as Let’s Encrypt, or your own signing key pair stored in a Kubernetes Secret resource.

An Issuer is scoped to a single namespace, and can only fulfill Certificate resources within its own namespace. This is useful in a multi-tenant environment where multiple teams or independent parties operate within a single cluster.

On the other hand, a ClusterIssuer is a cluster wide version of an Issuer. It is able to be referenced by Certificate resources in any namespace. Users often create letsencrypt-staging and letsencrypt-prod ClusterIssuers if they operate a single-tenant environment and want to expose a cluster-wide mechanism for obtaining TLS certificates from Let’s Encrypt.