Kubernetes operator that distributes X.509 CA certificate bundles cluster-wide via the Bundle CRD. Maintained by Jetstack alongside cert-manager.

When to Use

Distributing private/internal root CA certificates to many namespaces
Bundling system trust roots (Debian/Mozilla) with custom CAs into one ConfigMap
Generating JKS or PKCS#12 trust stores for Java/.NET workloads
Syncing the cert-manager root CA Secret out to consumer namespaces

Architecture

Sources (trust namespace) ──► Bundle controller ──► Targets (selected namespaces)
  configMap | secret                                  ConfigMap | Secret
  inLine    | useDefaultCAs                           + JKS / PKCS12 formats

Bundle is cluster-scoped. Sources live in the trust namespace (default cert-manager). Targets fan out via namespaceSelector.

Helm Install (Quick)

Kubernetes operator that distributes X.509 CA certificate bundles cluster-wide via the Bundle CRD. Maintained by Jetstack alongside cert-manager.

When to Use

Distributing private/internal root CA certificates to many namespaces
Bundling system trust roots (Debian/Mozilla) with custom CAs into one ConfigMap
Generating JKS or PKCS#12 trust stores for Java/.NET workloads
Syncing the cert-manager root CA Secret out to consumer namespaces

Architecture

Sources (trust namespace) ──► Bundle controller ──► Targets (selected namespaces)
  configMap | secret                                  ConfigMap | Secret
  inLine    | useDefaultCAs                           + JKS / PKCS12 formats

Bundle is cluster-scoped. Sources live in the trust namespace (default cert-manager). Targets fan out via namespaceSelector.

Trust Manager

When to Use

Architecture

Helm Install (Quick)

Trust Manager

When to Use

Architecture

Helm Install (Quick)

Minimal Bundle

Helm Chart Scaffolding

Python Observability

K8s Manifest Generator

Istio Traffic Management

Secrets Management

Gitops Workflow