3. Configuring your first Issuer or ClusterIssuer¶
These represent a certificate authority from which signed x509 certificates can be obtained, such as Let’s Encrypt, or your own signing key pair stored in a Kubernetes Secret resource.
An Issuer is scoped to a single namespace, and can only fulfill Certificate resources within its own namespace. This is useful in a multi-tenant environment where multiple teams or independent parties operate within a single cluster.
On the other hand, a ClusterIssuer is a
cluster wide version of an Issuer. It is able to be
referenced by Certificate resources in any
namespace. Users often create
ClusterIssuers if they operate a
single-tenant environment and want to expose a cluster-wide mechanism for
obtaining TLS certificates from Let’s Encrypt.