cert-manager

This MCP server provides a set of tools for managing and troubleshooting cert-manager resources in a Kubernetes cluster. It runs inside a Docker image and exposes commands that let you list and inspect certificates and issuers, renew certificates on demand, and query Kubernetes namespaces and contexts. The server is designed to be used via the CLI tools exposed by the container image, and it can be run locally (using Docker) or in environments like Claude with appropriate volume mounts for kubeconfig and Cloud SDK configuration.

To use it, start the container with access to your kubeconfig and, if needed for GKE, your Google Cloud credentials. Once running, you can call tools such as list_certificates, get_certificate, renew_certificate, list_issuers, list_namespaces, list_contexts, get_current_context, and switch_context to manage cert-manager resources and navigate Kubernetes contexts. The tools support filtering, pagination, and context switching to help you troubleshoot certificates and issuers across namespaces and clusters.

Prerequisites:

• Docker installed and running on your workstation or CI environment
• Access to a Kubernetes cluster with cert-manager installed (or a cluster you want to manage via cert-manager)
• kubectl configured with your cluster context and kubeconfig accessible inside the container (via volume mounts)

Install and run the MCP server (Docker):

# Pull and run the cert-manager MCP server image
docker run -i --rm \
  -v ~/.kube:/home/app/.kube:ro \
  -v ~/.config/gcloud:/home/app/.config/gcloud \
  piblokto/cert-manager-mcp-server:v0.0.5

If you’re using Claude Desktop or a similar environment, configure the command similarly to the provided examples, ensuring kubeconfig and Cloud SDK config directories are mounted and, if needed, environment variables for your project/region are set.

Optional: use environment variables for GKE projects and regions (when applicable):

-e CLOUDSDK_CORE_PROJECT=<YOUR_PROJECT_ID> \
-e CLOUDSDK_COMPUTE_REGION=<YOUR_COMPUTE_REGION>

Notes and tips:

• The MCP server runs as a Docker image; adapt the docker run command to your environment if you use container orchestration or different volume paths.
• When listing certificates, you can filter by namespace or across all namespaces and optionally include domain information. Use pagination and cursor parameters for large clusters.
• The renew_certificate operation is destructive (forces renewal) and is not allowed to run in read-only contexts. Ensure you have appropriate permissions before invoking it.
• For GKE users, ensure your kubeconfig context is correctly set and accessible inside the container runtime (via volume mounts).
• If you encounter connectivity issues, verify that your kubeconfig path is mounted with proper read permissions and that the cluster API server is reachable from the host running Docker.