Use Traefik to generate Let's Encrypt certificates

[alugowski]

This isn't a solution for everone, but my broader needs dictated this approach. I purchased a low(ish) cost wildcard cert. Once that cert is imported into Scale, it can be used anywhere it is needed, including Traefik for ssl.

Do you have recommendations on how to get one? I see costs ranging from $50 to $300 per year for a wildcard, and of course you have to go through the verification process periodically.

 

[truecharts]

TrueCharts default is 1 replica, so no HA. A simple config if statement could disable ACME if more than one replica is selected. This hardly seems like a roadblock.

Is that really the only downside?

Default is temporarily(!) 1 replica, but that will be moved to daemonset as soon as iX fixed the UI for displaying Daemonset status.
Traefik certificates also consume storage, which we do not want to add. As we aim to run it completely stateless where possible.

 

[truecharts]

Just for fun I hacked the chart to add the following command lines that ask Traefik to use a TLS Challenge against Let's Encrypt's staging servers:

Code:

--certificatesresolvers.le.acme.tlsChallenge=true
--certificatesresolvers.le.acme.storage=/shared/acme.json
--certificatesresolvers.le.acme.email=test@gmail.com
--certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
--entrypoints.websecure.http.tls.certResolver=le

SSL then works great on every endpoint.

We never said it couldn't work, just that we don't find it a good idea.

For SCALE Apps we make choices what we are and are not going to show in the GUI, this is on our "don't show" list. Our Helm chart supports this out-of-the-box just fine already. But in those cases people should really be using certmanager instead.

We're open to adding default certificates traefik and ingress certificate secret options though. As those are quite commonly used.

That's all it seems to take to have automatic SSL for all your public TrueCharts apps. A text field for the email, a dropdown to choose staging/prod, and mounting a storage location for acme.json. That's hardly any config options to add a hugely important feature.

You seem to underestimate how much work we're already under. We're not planning to divert resources to implement this for you.
Besides the fact that we think people should be using different solutions.

 

[mgoulet65]

Do you have recommendations on how to get one? I see costs ranging from $50 to $300 per year for a wildcard, and of course you have to go through the verification process periodically.

I use SSL2BUY which resells certs pretty cheaply. I have to redeploy once a year.

 

[alugowski]

You seem to underestimate how much work we're already under. We're not planning to divert resources to implement this for you.
Besides the fact that we think people should be using different solutions.

I'd be happy to do the chart work for you, but it sounds like you're against it from an architectural point of view.

That's fine, even if I think it's a big missed opportunity. Sounds like small orgs aren't your target market and that's ok. BTW, I had reached this thread by googling how to get Let's Encrypt SSL on TrueNAS apps. I'm far from the only person with that need.

 

[alugowski]

For everyone reaching this via Google like I did, the far simpler way is to just use Caddy via Launch Docker Image:

Apps SSL with Let's Encrypt and Caddy

This post is about how I set up easy, fully-automatic SSL for my TrueNAS Apps and Docker containers. I'm assuming a home/small business deployment. The official instructions and support are great, but only work with CloudFlare and Route53 domain providers. Everyone else is on their own. Some...

www.truenas.com

You lose the automatic ingress, but in exchange you get control back. You can also expose official TrueNAS plugins and regular Docker Hub containers in the same way.

 

[danb35]

Do you mind sharing how you run yours?

I missed this question earlier, but the answer would have been different a month ago anyway. Then, I used CORE, and I used acme.sh to get my cert using DNS validation via Cloudflare, whose DNS I've been using for years. I told acme.sh to call my deploy script after obtaining a new cert, and that script installs the cert in TrueNAS. Since I cobbled together that Python script, it's been bash-ified and included in acme.sh, so you might not need to use my script at all.

Now, I use SCALE, and the TrueNAS devs have responded to my ticket asking that they include Cloudflare DNS support in CORE by adding it to SCALE. So I use the built-in cert management (overly-complicated though it is) to get a wildcard cert, and use Traefik/Ingress to use that cert--no need to manually configure anything at all.

If I were setting it up today, and not using Cloudflare or Route53 for DNS, I'd likely just use acme.sh and its own script to deploy to TrueNAS. Note that acme.sh now defaults to obtaining certs from ZeroSSL rather than Let's Encrypt, but that default can be easily changed if desired.

 

[alugowski]

I missed this question earlier, but the answer would have been different a month ago anyway. Then, I used CORE, and I used acme.sh to get my cert using DNS validation via Cloudflare, whose DNS I've been using for years. I told acme.sh to call my deploy script after obtaining a new cert, and that script installs the cert in TrueNAS. Since I cobbled together that Python script, it's been bash-ified and included in acme.sh, so you might not need to use my script at all.

Now, I use SCALE, and the TrueNAS devs have responded to my ticket asking that they include Cloudflare DNS support in CORE by adding it to SCALE. So I use the built-in cert management (overly-complicated though it is) to get a wildcard cert, and use Traefik/Ingress to use that cert--no need to manually configure anything at all.

If I were setting it up today, and not using Cloudflare or Route53 for DNS, I'd likely just use acme.sh and its own script to deploy to TrueNAS. Note that acme.sh now defaults to obtaining certs from ZeroSSL rather than Let's Encrypt, but that default can be easily changed if desired.

Ah, so a cron task running a script composed of acme.sh may work well enough. If someone does it that way I'm sure folks would appreciate a best practices writeup.

I'm going to stick with Caddy. I do think it's even easier and more foolproof to set up and less maintenance long term. Another big benefit is that I can easily proxy whatever I want, not just TrueCharts apps. I prefer to use Docker Hub images straight from the app authors, and Caddy makes that a simple thing to manage. Of course you can have Caddy forward to Traefik and have both.

 

[truecharts]

I'd be happy to do the chart work for you, but it sounds like you're against it from an architectural point of view.

That's fine, even if I think it's a big missed opportunity. Sounds like small orgs aren't your target market and that's ok. BTW, I had reached this thread by googling how to get Let's Encrypt SSL on TrueNAS apps. I'm far from the only person with that need.

Let's Encrypt is 100% supported with SCALE, it just only supports the DNS01 Cloudflare and Route53 providers. But it's still LetsEncrypt

Small Orgs *are* our target, however they are not our target untill bluefin mostly because we think SCALE isn't read and, untill yesterday, we didn't have any guidelines what we do and do not find "Enterprise Grade" (aka: Professional ready quality). Actually, it's small orgs that block us from allowing the use of Traefik ACME, for home users it's fine. But it's defined by Traefik themselves to be not enterprise-ready andpurposefully gimped.

Even so: Traefik ACME is purposefully gimped not to be enterprise grade, so will not be supported in the future by us either.
Instead we would, in the future, allow the use of tools like CertManager, which are meant for this usecase.

Traefik ACME is gimped and it's not the go-to standard in kubernetes, and thus we will not support it either.

For everyone reaching this via Google like I did, the far simpler way is to just use Caddy via Launch Docker Image:

Apps SSL with Let's Encrypt and Caddy

This post is about how I set up easy, fully-automatic SSL for my TrueNAS Apps and Docker containers. I'm assuming a home/small business deployment. The official instructions and support are great, but only work with CloudFlare and Route53 domain providers. Everyone else is on their own. Some...

www.truenas.com

You lose the automatic ingress, but in exchange you get control back. You can also expose official TrueNAS plugins and regular Docker Hub containers in the same way.

Or use Native Helm, instead of SCALE Apps. SCALE Apps are not intended to offer complete control at this stage. We hope iX does allow custom yaml in the future, which would allow you to enable non exposed features yourself on SCALE Apps as well.

The "Control" problem was not by our design really, as all our Apps are available as native Helm Charts with full-controll as well.

I missed this question earlier, but the answer would have been different a month ago anyway. Then, I used CORE, and I used acme.sh to get my cert using DNS validation via Cloudflare, whose DNS I've been using for years. I told acme.sh to call my deploy script after obtaining a new cert, and that script installs the cert in TrueNAS. Since I cobbled together that Python script, it's been bash-ified and included in acme.sh, so you might not need to use my script at all.

Now, I use SCALE, and the TrueNAS devs have responded to my ticket asking that they include Cloudflare DNS support in CORE by adding it to SCALE. So I use the built-in cert management (overly-complicated though it is) to get a wildcard cert, and use Traefik/Ingress to use that cert--no need to manually configure anything at all.

If I were setting it up today, and not using Cloudflare or Route53 for DNS, I'd likely just use acme.sh and its own script to deploy to TrueNAS. Note that acme.sh now defaults to obtaining certs from ZeroSSL rather than Let's Encrypt, but that default can be easily changed if desired.

acme.sh is a really good solution for this problem, we would highly recommend it :)

I'm going to stick with Caddy. I do think it's even easier and more foolproof to set up and less maintenance long term. Another big benefit is that I can easily proxy whatever I want, not just TrueCharts apps. I prefer to use Docker Hub images straight from the app authors, and Caddy makes that a simple thing to manage. Of course you can have Caddy forward to Traefik and have both.

To be clear:
Most of our Apps are directly from the upstream developers or, in cases where we've good reason to, the second-most-trustworthy source that fits the design.

 

[alugowski]

Before I reply, I just want to point out that I do appreciate what TrueCharts is doing and it's a monumental task you're taking on. My replies here and critique are an effort to provide you with a new user perspective. My background is as a regular engineer/scientist, not DevOps.

My personal TrueNAS is a home setup, though I can see a very small org doing the same thing for simplicity. IMHO anyone bigger should not be hosting their apps on TrueNAS at all. If you need HA then do it in a place where you can do it right.

This is on topic for this thread because OP's problem is the same: home user needs SSL and bought into the sales pitch that TrueCharts/Traefik offers that, when in reality what they need is impossible.

Small Orgs *are* our target, however they are not our target untill bluefin mostly because we think SCALE isn't read and, untill yesterday, we didn't have any guidelines what we do and do not find "Enterprise Grade" (aka: Professional ready quality). Actually, it's small orgs that block us from allowing the use of Traefik ACME, for home users it's fine. But it's defined by Traefik themselves to be not enterprise-ready andpurposefully gimped.

Even so: Traefik ACME is purposefully gimped not to be enterprise grade, so will not be supported in the future by us either.
Instead we would, in the future, allow the use of tools like CertManager, which are meant for this usecase.

Traefik ACME is gimped and it's not the go-to standard in kubernetes, and thus we will not support it either.

If it's fine for home users, then why not offer it for those folks? I did implement it, it's literally a dozen lines. Feel free to make it non-default with a warning that it's for home use only.

If Traefik quality is the problem you can offer Caddy as an ingress controller as well. https://github.com/caddyserver/ingress
No reason both can't be supported.

Also I don't understand why you keep bringing up Cert Manager when you explicitly removed it. https://github.com/truecharts/charts/issues/189
That's literally the only information about TrueCharts and Cert Manager that I can find. This "you're doing it wrong, but we won't point you in the right direction" isn't helpful.

As for home/small org, here's some free Product advice. Easy SSL is far important than all the reasons against offering it I've read so far (breaks with HA, don't want to mount a volume (seriously??), upstream only supports it for home).

 

[alugowski]

To be clear:
Most of our Apps are directly from the upstream developers or, in cases where we've good reason to, the second-most-trustworthy source that fits the design.

True. But you've also stated that you make decisions on what to expose to your users. Heck this entire thread is about that very thing. The upstream has a feature, and you think your users shouldn't use it. You're entitled to that opinion, but as a user I'd rather not be subject to your very strong opinions when it goes against my needs.

More free Product advice: Make a case for why a TrueCharts app is better than the alternatives. "We're not any worse" isn't a selling point.
As far as I can see, these are the general TrueCharts benefits:

• Someone got this to work on TrueNAS, so it's a form of config validation
• Ingress setup for people who find this important.
• VPN setup for any app.
• Charts can expose ports below 9000
• A nice icon in the apps menu.

 

[alugowski]

Or use Native Helm, instead of SCALE Apps. SCALE Apps are not intended to offer complete control at this stage. We hope iX does allow custom yaml in the future, which would allow you to enable non exposed features yourself on SCALE Apps as well.

The "Control" problem was not by our design really, as all our Apps are available as native Helm Charts with full-controll as well.

You said plain Helm charts are not officially supported:

Install Helm Chart Via Command Line

Is it possible to install a helm chart directly via the command line on TrueNAS Scale? Any tutorials on how to do that? Also curious, will a manually installed helm chart show up in the GUI like other apps? Thanks, Harry

www.truenas.com

 

[danb35]

Make a case for why a TrueCharts app is better than the alternatives.

You seem to be missing "it exists" on your list. iX provide 16 apps for SCALE. TrueCharts provide 342 in their stable branch. So I guess the response to your suggestion would be "what alternatives?"

 

[truecharts]

This is on topic for this thread because OP's problem is the same: home user needs SSL and bought into the sales pitch that TrueCharts/Traefik offers that, when in reality what they need is impossible.

Which is not true: Every bought domain can be linked to either route53 and cloudflare to make use of Letsencrypt using DNS01 ACME.
Besides there, there is the command line script by @danb35 that allows more custom certificate providers.

This initial premise you keep repeating "Its impossible", is simply not true.
It's only impossible because you keep adding additional limitations into the mix.

If it's fine for home users, then why not offer it for those folks? I did implement it, it's literally a dozen lines. Feel free to make it non-default with a warning that it's for home use only.

Because we have determined that it did not give the stability we aim for and there are multiple other solutions in the market (either using SCALE Certificates or the go-to solution CertManager) that do give the correct solution, stability and user experience.

We have limited GUI space available and limited manpower to support these features.
You always have been free to submit a PR and somehow offer yourself up to respond on any support requests that come from this addition. because we do not want to offer support for this feature. You severely underestimate how much effort goes into testing and support.

We simply are conservative in making needless additions into our core framework. As we feel that those Apps deserve a higher stability than the rest.

If Traefik quality is the problem you can offer Caddy as an ingress controller as well. https://github.com/caddyserver/ingress
No reason both can't be supported.

One big reason: We're not a big company with vast resources.
If you want it: PR it and please also describe in the PR, how you expect to support it the next 2 years as well. (as Caddy-Ingress is kinda niche, we don't have staff running this)

Also I don't understand why you keep bringing up Cert Manager when you explicitly removed it. https://github.com/truecharts/charts/issues/189
That's literally the only information about TrueCharts and Cert Manager that I can find. This "you're doing it wrong, but we won't point you in the right direction" isn't helpful.

Because our Helm Charts still work with it. Just like our Traefik deployment does.
We just don't have the manpower to also port CertManager to SCALE.

You seem to misunderstand our project a bit:
We build Helm Charts and also port most of those to TrueNAS SCALE Apps, albeit with a limited feature set.

We've pointed you into multiple right directions, as did @danb35.
His script, just using the two DNS providers (which support nearly all domain names Letsencrypt support) or building yourself something using CertManager.

We did however, confirm that we should expose secret names for certificates in the SCALE GUI, as we feel that is a valid request.
See: We do read into your wishes, but we're also not going to spend developement hours to completely add your niche setup into our project.

As for home/small org, here's some free Product advice. Easy SSL is far important than all the reasons against offering it I've read so far (breaks with HA, don't want to mount a volume (seriously??), upstream only supports it for home).

The Go-To solution for home users is using SCALE Certificates with Letsencrypt through DNS with Cloudflare or Route53. Both are freely available for any domain and natively integrated into the system. Your idea is the "hard way" of doing things on SCALE, which is not great advice for home users.

Our reasons are valid, because your request "easy ssl" is already offered by using SCALE certificates with letsencrypt. The feature simply already exists. We do not want to add an alternative we need to maintain ourselves, which HAS downsides, when there is a better alternative for homeusers already available.

Going from stateless setups to mounting persistence is a HUGE change, if you don't understand that... You shouldn't start arguing with kubernetes developers really.

True. But you've also stated that you make decisions on what to expose to your users. Heck this entire thread is about that very thing. The upstream has a feature, and you think your users shouldn't use it. You're entitled to that opinion, but as a user I'd rather not be subject to your very strong opinions when it goes against my needs.

Changes about TrueCharts are made within our own community, not this forums. We're simply here to explain our choices, but our choices are not actually going to change based on threads like these. That might seem like we have "strong opinions", but it's just that we aren't here to take any requests at all. Just to explain things.

If you want things to change, the best way is to file PR's and/or discuss thing with our staff and devs (available on discord, primarily).

There are a lot of "if's" when you add features:
For example: Who is going to provide support?
But also: If we add this, it does not mean it also makes it through to the SCALE GUI, the SCALE GUI we offer is not intended to include each and every feature (as it would become incredibly bloaty with a few hunderd features included)

More free Product advice: Make a case for why a TrueCharts app is better than the alternatives. "We're not any worse" isn't a selling point.
As far as I can see, these are the general TrueCharts benefits:

• Someone got this to work on TrueNAS, so it's a form of config validation
• Ingress setup for people who find this important.
• VPN setup for any app.
• Charts can expose ports below 9000
• A nice icon in the apps menu.

How about some apps take hunderds of hours to build? With carefully constructed database connections included and such?
Some Helm charts are super easy to build, but a lot are definately not.

you just have played with things that are relatively easy to deploy on SCALE yourself, but you can take our word for it that a lot of Apps take an incredible time to build. With some running 3 or more different containers.

You said plain Helm charts are not officially supported:

Install Helm Chart Via Command Line

Is it possible to install a helm chart directly via the command line on TrueNAS Scale? Any tutorials on how to do that? Also curious, will a manually installed helm chart show up in the GUI like other apps? Thanks, Harry

www.truenas.com

I think you don't understand what TrueCharts is....
We are a project that primarily build Helm Charts and offer a limited subset(!) of the features as SCALE Apps as well.
Our advice, at this stage, is always to use native helm if you want thorough customisation options.

We're very vocal that we think SCALE should include custom YAML inclusion options to expose more of the power of Helm on SCALE as well and we also have a Jira ticket open about that.
However, when the TrueCharts solution is "use native helm", that's what we can offer for your. It's within the scope of our project to offer Helm Charts.
Please remember: We're a seperate project and don't only work on SCALE related things. A LOT of our features are not available inside the SCALE GUI yet.

We're always open for feedback, but we are here just to explain ourselves and point people in the right direction. If you want to discuss things with our developers and users byond getting an explaination from us, you really have to reach out to our community directly.


In short:
Our current policy is that we do not want this feature and no one has submitted a PR for this to our project (and a proposal how support on this is going to be handled) to review either. If you want to discuss this policy, please reach out to our community directly.

We're going to leave it at this, as we feel we've explained everything there is to explain by now. What you want is a policy change, for which this is not the place.

 

[alugowski]

You seem to misunderstand our project a bit:
We build Helm Charts and also port most of those to TrueNAS SCALE Apps, albeit with a limited feature set.

Absolutely, but understand that this is the TrueNAS forum. It's great if something can be done with the regular Helm chart but not an App. That's a sales pitch for not using TrueNAS. However, here we are TrueNAS users, so really only solutions that work on TrueNAS matter. Again regular Kubernetes solutions are irrelevant if they can't be implemented on TrueNAS. I'm trying to stick to something that can be done officially.

You always have been free to submit a PR

I would, except this:

Our current policy is that we do not want this feature

And that's fine.

I ask that you're up front about it though, for new users' sake. That means on the official docs, not just the forums.

 

[Heavy]

Absolutely, but understand that this is the TrueNAS forum. It's great if something can be done with the regular Helm chart but not an App. That's a sales pitch for not using TrueNAS. However, here we are TrueNAS users, so really only solutions that work on TrueNAS matter. Again regular Kubernetes solutions are irrelevant if they can't be implemented on TrueNAS. I'm trying to stick to something that can be done officially.


I would, except this:

And that's fine.

I ask that you're up front about it though, for new users' sake. That means on the official docs, not just the forums.

Couldn't you make your own repo just for traefik with the changes you want? If you get it done and it works, I'd switch from the Truecharts version ‍

 

[alugowski]

Couldn't you make your own repo just for traefik with the changes you want? If you get it done and it works, I'd switch from the Truecharts version ‍

I considered it.

1. Main issue is that would mean not just making one feature but maintaining an entire chart, a critical one at that. TrueCharts folks are right, that's a lot of ongoing work and responsibility.

2. I still wouldn't use it. During this process I also learned that for MY home uses configuring/debugging/maintaining Caddy is far easier than the same for Traefik. Again, home user with mostly non-TrueCharts apps. I wouldn't feel right building something and not dog-fooding it.

3. Speculation here, but I bet you can have the best of both worlds. Just put Caddy in front of Traefik. That way Caddy handles the SSL termination then forwards to Traefik so it can do its thing. Kinda silly, but 'tis a silly world.

 

[danb35]

I also learned that for MY home uses configuring/debugging/maintaining Caddy is far easier than the same for Traefik.

Different application, but still a valid comparison. My OPNsense firewall has a plugin for ACME certificates, and another one for HAProxy. Everything's GUI-fied, everything's point-and-click, so I can set up HAProxy to do TLS termination and be a reverse proxy to whichever of my LAN resources I care to expose to the Internet. To proxy one URL requires visiting at least a half-dozen pages in the UI.

There's also a third-party plugin to install Caddy. It's much less GUI-fied; the only GUI is a page with a checkbox to enable it, and a text field to enter the Caddyfile--you're on your own to write it. And I use that instead of the ACME/HAProxy combination because it's vastly simpler--two lines of Caddyfile (plus a closing brace on a third line) handles cert generation/renewal, TLS termination/redirection/configuration, and the reverse proxy itself.

 

[truecharts]

Absolutely, but understand that this is the TrueNAS forum. It's great if something can be done with the regular Helm chart but not an App. That's a sales pitch for not using TrueNAS. However, here we are TrueNAS users, so really only solutions that work on TrueNAS matter. Again regular Kubernetes solutions are irrelevant if they can't be implemented on TrueNAS. I'm trying to stick to something that can be done officially.

We're currently actively communicating with iX Systems about including more native-Helm features to SCALE. Such as Custom values.yaml support. At this stage that's all we can say about it.

I would, except this:

And that's fine.

We are only repeating standing policy here, those are not set in stone.
However, if you do not discuss it with our staff on Discord, there is nothing we can say, except repeat the standing policies.

I ask that you're up front about it though, for new users' sake. That means on the official docs, not just the forums.

We're definately not going to spend hunderds of hours to document the thousands of features of our hunderds of apps not exposed in the SCALE GUI. At this point this starts to look like trolling.

Couldn't you make your own repo just for traefik with the changes you want? If you get it done and it works, I'd switch from the Truecharts version ‍

There is a **LOT** of integration work going on between our Traefik setup and common App template. So we would heavily suggest against it, unless the one doing so has a significant amount of helm/kubernetes expertise.

Considering we're also doing significant rewriting of a number of app, including Traefik, for launch of our Enterprise train, There is a big chance that such an attempt would be a rather "sour" experience.

However: We do agree that the 2 DNS providers on SCALE are not enough.
We'll look what we or iX can do about this.

I considered it.

1. Main issue is that would mean not just making one feature but maintaining an entire chart, a critical one at that. TrueCharts folks are right, that's a lot of ongoing work and responsibility.

2. I still wouldn't use it. During this process I also learned that for MY home uses configuring/debugging/maintaining Caddy is far easier than the same for Traefik. Again, home user with mostly non-TrueCharts apps. I wouldn't feel right building something and not dog-fooding it.

3. Speculation here, but I bet you can have the best of both worlds. Just put Caddy in front of Traefik. That way Caddy handles the SSL termination then forwards to Traefik so it can do its thing. Kinda silly, but 'tis a silly world.

1. Totally agree, even regardless of skill. Considering even k8s-at-home just stopped with their work because of the maintenance load it gives to maintain helm-charts

2. If you're mostly running non-TrueCharts Apps, we agree that our ecosystem might not be the best place to be.

3. That is technically possible (reverse proxies can be daisy chained), but to be clear: our support staff on discord would not be able to help you when you run into future issues.

Different application, but still a valid comparison. My OPNsense firewall has a plugin for ACME certificates, and another one for HAProxy. Everything's GUI-fied, everything's point-and-click, so I can set up HAProxy to do TLS termination and be a reverse proxy to whichever of my LAN resources I care to expose to the Internet. To proxy one URL requires visiting at least a half-dozen pages in the UI.

There's also a third-party plugin to install Caddy. It's much less GUI-fied; the only GUI is a page with a checkbox to enable it, and a text field to enter the Caddyfile--you're on your own to write it. And I use that instead of the ACME/HAProxy combination because it's vastly simpler--two lines of Caddyfile (plus a closing brace on a third line) handles cert generation/renewal, TLS termination/redirection/configuration, and the reverse proxy itself.

We indeed also know of users putting haproxy in front of traefik, it can, quite reasonably, be done :)

 

[truecharts]

As our continued effort to ensure SCALE users have enough freedom compared to industry standards on kubernetse. We've made the following Jira suggestion, to document the lack of feature parity with Cert-Manager (the go-to standard for certificate on kubernetes):

Log in with Atlassian account

Log in to Jira, Confluence, and all other Atlassian Cloud products here. Not an Atlassian user? Sign up for free.

ixsystems.atlassian.net