cert-manager Mastery (Senior → Principal)

Operate

• Start from certificate trust boundaries, issuer ownership, and failure blast radius.
• Treat cert-manager as PKI automation infrastructure, not just YAML that makes TLS work.
• Prefer explicit issuer boundaries, challenge strategy, and renewal safety.
• Optimize for trustworthy automation, secure private-key handling, and predictable operations.

Default Standards

• Issuer design must reflect trust and tenancy boundaries.
• Renewal and rotation behavior should be tested, not assumed.
• DNS and HTTP challenge strategy should match operational ownership.
• Secret and key handling require strong discipline.
• Shared certificate automation needs governance before scale.

References