ClawHub

Kubernetes Skills

v1.0.0

Kubernetes certificate management with cert-manager. Use when managing TLS certificates, configuring issuers, or troubleshooting certificate issues.

1· 2.1k·7 current·7 all-time
byRohit Ghumare@rohitg00
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly operates on a Kubernetes cluster (kubectl_apply, certmanager_* tools, creating ClusterIssuer/Certificate resources). However, the registry metadata declares no required binaries, env vars, or config paths. Managing cert-manager legitimately requires kubectl access (or equivalent API access) and cluster credentials (often cluster-admin for ClusterIssuer). The metadata and declared requirements are therefore incomplete/inconsistent with the described capability.
Instruction Scope
Instructions stay on-topic: listing/creating Certificates, Issuers, CertificateRequests, Ingress annotations, and troubleshooting. They reference Let's Encrypt ACME endpoints (expected) and cluster events for debugging. The skill does not instruct reading unrelated local files or exfiltrating data to unexpected external endpoints.
Install Mechanism
This is instruction-only with no install spec or code files, so nothing is written to disk by an installer—low installation risk. The runtime relies on external tools being available (kubectl and cert-manager-related tooling), which are not declared in metadata.
!
Credentials
No environment variables, credentials, or config paths are declared despite the skill plainly requiring access to a Kubernetes cluster (kubeconfig, KUBECONFIG, or in-cluster credentials) and cluster secrets/private keys for ACME issuers. Requesting no credentials in metadata is disproportionate to the operations shown in SKILL.md.
Persistence & Privilege
Skill is not always-enabled and does not claim persistent/system-wide modifications. It does perform cluster mutations (apply manifests) when invoked, which is expected for this purpose but should be run with appropriate privileges and caution.
What to consider before installing
Before installing: (1) Understand that this skill will create and modify Kubernetes resources (Certificates, ClusterIssuers, Ingresses). Ensure you trust the skill source. (2) Confirm the agent runtime has kubectl / cert-manager tooling and appropriate kubeconfig or cluster credentials; the skill metadata does not declare these requirements but the SKILL.md assumes them. (3) Running ClusterIssuer manifests typically requires cluster-admin privileges—use least-privilege accounts and test in a staging cluster first. (4) Review the provided YAML (especially ACME email/privateKeySecretRef) and make sure secrets are handled securely; be careful using production Let's Encrypt due to rate limits. (5) Ask the publisher to update metadata to declare required binaries (kubectl), config paths (KUBECONFIG or kubeconfig file), and any needed permissions so you can make an informed risk decision.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vzn79hy17aj2w840by9fvn7zz8vw
2.1kdownloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Rohit Ghumare@rohitg00
latest
Download

Certificate Management with cert-manager

Manage TLS certificates using kubectl-mcp-server's cert-manager tools.

Check Installation

certmanager_detect_tool()

Certificates

List Certificates

# List all certificates
certmanager_certificates_list_tool(namespace="default")

# Check certificate status
# - True: Certificate ready
# - False: Certificate not ready (check events)

Get Certificate Details

certmanager_certificate_get_tool(
    name="my-tls",
    namespace="default"
)
# Shows:
# - Issuer reference
# - Secret name
# - DNS names
# - Expiry date
# - Renewal time

Create Certificate

kubectl_apply(manifest="""
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-tls
  namespace: default
spec:
  secretName: my-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - app.example.com
  - www.example.com
""")

Issuers

List Issuers

# Namespace issuers
certmanager_issuers_list_tool(namespace="default")

# Cluster-wide issuers
certmanager_clusterissuers_list_tool()

Get Issuer Details

certmanager_issuer_get_tool(name="my-issuer", namespace="default")
certmanager_clusterissuer_get_tool(name="letsencrypt-prod")

Create Let's Encrypt Issuer

# Staging (for testing)
kubectl_apply(manifest="""
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: admin@example.com
    privateKeySecretRef:
      name: letsencrypt-staging-key
    solvers:
    - http01:
        ingress:
          class: nginx
""")

# Production
kubectl_apply(manifest="""
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@example.com
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
    - http01:
        ingress:
          class: nginx
""")

Create Self-Signed Issuer

kubectl_apply(manifest="""
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
""")

Certificate Requests

# List certificate requests
certmanager_certificaterequests_list_tool(namespace="default")

# Get request details (for debugging)
certmanager_certificaterequest_get_tool(
    name="my-tls-xxxxx",
    namespace="default"
)

Troubleshooting

Certificate Not Ready

1. certmanager_certificate_get_tool(name, namespace)  # Check status
2. certmanager_certificaterequests_list_tool(namespace)  # Check request
3. get_events(namespace)  # Check events
4. # Common issues:
   # - Issuer not ready
   # - DNS challenge failed
   # - Rate limited by Let's Encrypt

Issuer Not Ready

1. certmanager_clusterissuer_get_tool(name)  # Check status
2. get_events(namespace="cert-manager")  # Check events
3. # Common issues:
   # - Invalid credentials
   # - Network issues
   # - Invalid configuration

Ingress Integration

# Automatic certificate via ingress annotation
kubectl_apply(manifest="""
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - app.example.com
    secretName: app-tls
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port:
              number: 80
""")

Related Skills

Comments

Loading comments...