★ FLAGSHIP FEATURE

Certificate Management Platform

Enterprise-grade TLS certificate lifecycle automation — from self-service request to Vault-backed storage. Multi-tenant, fully GitOps, zero manual steps.

Certificate Lifecycle

Seven automated steps from request to renewal — no human intervention required after the initial PR approval.

1

Request

Backstage

User submits request through Backstage self-service portal. Team name, domain, subdomain, issuer type.

2

PR Creation

GitHub API

System creates a GitHub Pull Request containing Certificate YAML manifests, namespace config, and RBAC policies.

3

GitOps Sync

ArgoCD

After PR approval and merge, ArgoCD detects the changes and synchronizes the manifests to the cluster.

4

ACME Challenge

cert-manager

cert-manager creates a DNS-01 TXT record via Cloudflare API to prove domain ownership to Let's Encrypt.

5

Certificate Issued

Let's Encrypt

Let's Encrypt validates the DNS challenge and issues the TLS certificate. cert-manager stores it as a Kubernetes Secret.

6

Vault Storage

ESO PushSecret

External Secrets Operator PushSecret automatically synchronizes the certificate to HashiCorp Vault for external consumption.

7

Auto-Renewal

cert-manager

cert-manager renews automatically 30 days before expiration. The renewed cert propagates to both K8s and Vault.

Multi-Tenant Isolation

Each team gets their own namespace with strict isolation — RBAC, network policies, Vault policies, and Kyverno rules prevent cross-tenant access.

📦

Namespace

Dedicated namespace per tenant with resource quotas and limit ranges.

🔐

RBAC

Kubernetes RBAC restricts access to tenant-specific resources only.

🌐

Network

NetworkPolicies enforce tenant isolation at the network layer.

🗝️

Vault

Vault policies ensure tenants can only read their own secret paths.

Supported DNS Providers

DNS-01 challenges work with any DNS provider — natively or through webhooks.

Cloudflare

recommended

Native integration

API Token (Zone:DNS:Edit)

AWS Route53

Native integration

Access Keys or IRSA (Workload Identity)

Google Cloud DNS

Native integration

Service Account JSON or Workload Identity

Azure DNS

Native integration

Client Secret or Managed Identity

DigitalOcean

Webhook integration

API Token via webhook solver

Custom (RFC2136)

Webhook integration

BIND-compatible TSIG key

Technical Architecture

The full stack of integrated components powering the certificate platform.

graph TD
  BS["Backstage Portal
Self-Service UI
POST /api/certificate"]:::backstage
  GH["GitHub Repository
Git as Source of Truth
tenants/team-name/certificates/"]:::github
  CM["cert-manager
ACME Protocol
DNS-01 Challenge via Cloudflare"]:::certmanager
  ESO["External Secrets Operator
PushSecret
K8s Secret → Vault"]:::eso
  VAULT["HashiCorp Vault
Long-term Storage
kv/certs/team-name/tls"]:::vault

  BS -->|"GitHub API"| GH
  GH -->|"ArgoCD sync"| CM
  CM -->|"K8s Secret created"| ESO
  ESO --> VAULT

  classDef backstage fill:#1e3a5f,stroke:#60a5fa,color:#93c5fd,stroke-width:2px
  classDef github fill:#14332a,stroke:#4ade80,color:#86efac,stroke-width:2px
  classDef certmanager fill:#2e1a0e,stroke:#f97316,color:#fdba74,stroke-width:2px
  classDef eso fill:#2e1a47,stroke:#a78bfa,color:#c4b5fd,stroke-width:2px
  classDef vault fill:#2e2a0e,stroke:#facc15,color:#fde68a,stroke-width:2px

Platform Capabilities

Wildcard Certificates

Support for *.example.com covering all subdomains. DNS-01 validation required. Kyverno prevents cross-tenant wildcard abuse.

Auto-Renewal

cert-manager renews certificates 30 days before expiration. Renewed certs automatically propagate to Vault via PushSecret.

Self-Service Portal

Backstage web UI for requesting certificates. Form validation, domain selection, issuer choice — no YAML knowledge required.

GitOps Everything

Every certificate request becomes a PR. Full audit trail, rollback capability, Git-native approval workflow.

Prometheus Monitoring

Custom PrometheusRules for certificate expiry warnings, issuer health, and PushSecret sync failures. Grafana dashboards included.

Multi-Provider Support

Cloudflare, AWS Route53, Google Cloud DNS, Azure DNS, and webhook-based providers for any custom DNS.

Built-in Alerting

PrometheusRule alerts catch problems before they impact users.

warning

CertificateExpiryWarning

Fires 30 days before a certificate expires

critical

CertificateExpired

Certificate has already expired

critical

IssuerNotReady

ClusterIssuer is not functioning correctly

warning

PushSecretSyncFailed

ESO cannot synchronize certificate to Vault

← ARCHITECTURE SECURITY → FULL STACK →