Description
Build a Certificate Manager MSP for Platform Mesh 0.3+ as the canonical reference example for the multi-cluster-runtime + virtual-workspace provider pattern.
The MSP exposes upstream cert-manager.io CRDs (Certificate, Issuer, ClusterIssuer) into consumer workspaces. An external operator using multi-cluster-runtime watches one APIExport virtual-workspace endpoint and reconciles across all bound consumer accounts. No code runs in the provider workspace.
Default issuance uses cert-manager's built-in Issuer types. Securing the PKI with OpenBao is a follow-on (sketched at the bottom for context).
Why
- Forkable reference for the 0.3+ provider model.
- Fills the docs gap where certificates are repeatedly cited as the canonical MSP example with no implementation.
- Tees up the OpenBao-backed follow-on.
Sub-tasks
Acceptance criteria
- Consumer can order Certificate Manager and receive a working
ClusterIssuer + Certificate → TLS Secret in their workspace.
- Runs on PM 0.3+ provider primitives: external MCR operator, no code in provider workspace, virtual-workspace fan-out.
task local-setup:example-data brings up the MSP alongside existing examples.- Documentation covers all four Diátaxis quadrants.
Out of scope
- OpenBao integration (tracked under sub-tasks).
- Public CA integration (ACME/Let's Encrypt).
- HSM-backed seal, cross-provider trust federation.
Future direction (NOT in scope; sketch for context)
A follow-on swaps the default CA Issuer for OpenBao (already a sibling MSP in the Showroom):
- CA private keys stay sealed in OpenBao; cert-manager sends only CSRs to
pki_int/sign/<role>.
- Auth: Kubernetes ServiceAccount + TokenReview, sign-only policy per tenant.
- Topology: shared OpenBao with per-tenant intermediates under
pki_int/<tenant>.
- Per-consumer orchestration (mount, policy, role,
ClusterIssuer) lives in the cert-manager MSP operator.
Reference: https://blog.stderr.at/openshift-platform/security/secrets-management/openbao/2026-03-26-openbao-part-9-secrets-engines-pki/
Demo Required
Yes
Demo Steps
task local-setup:example-data brings up the cert-manager MSP.- Order Certificate Manager via the Portal; show the materialised
ClusterIssuer.
- Create a
Certificate; show the resulting TLS Secret.
- A second account creates a
Certificate in parallel — same operator process reconciles both via the virtual workspace (fan-out demo).
Description
Build a Certificate Manager MSP for Platform Mesh 0.3+ as the canonical reference example for the multi-cluster-runtime + virtual-workspace provider pattern.
The MSP exposes upstream
cert-manager.ioCRDs (Certificate,Issuer,ClusterIssuer) into consumer workspaces. An external operator usingmulti-cluster-runtimewatches one APIExport virtual-workspace endpoint and reconciles across all bound consumer accounts. No code runs in the provider workspace.Default issuance uses cert-manager's built-in Issuer types. Securing the PKI with OpenBao is a follow-on (sketched at the bottom for context).
Why
Sub-tasks
Acceptance criteria
ClusterIssuer+Certificate→ TLS Secret in their workspace.task local-setup:example-databrings up the MSP alongside existing examples.Out of scope
Future direction (NOT in scope; sketch for context)
A follow-on swaps the default CA Issuer for OpenBao (already a sibling MSP in the Showroom):
pki_int/sign/<role>.pki_int/<tenant>.ClusterIssuer) lives in the cert-manager MSP operator.Reference: https://blog.stderr.at/openshift-platform/security/secrets-management/openbao/2026-03-26-openbao-part-9-secrets-engines-pki/
Demo Required
Yes
Demo Steps
task local-setup:example-databrings up the cert-manager MSP.ClusterIssuer.Certificate; show the resulting TLS Secret.Certificatein parallel — same operator process reconciles both via the virtual workspace (fan-out demo).