Users deploying Tanzu Postgres for Kubernetes (postgres-operator) often check whether cert-manager can be removed when using custom, user-provided TLS certificates.

Although the postgres-operator allows users to:

- Supply their own TLS certificates

- Reference pre-created Kubernetes secrets

the operator still depends on cert-manager being installed because:

- cert-manager CRDs and APIs are used internally by the operator

- Admission webhooks and certificate reconciliation logic rely on cert-manager

- Even when custom certs are provided, the operator checks and interacts with cert-manager components

This makes cert-manager a runtime dependency, not just a certificate issuer.

- cert-manager must be installed in the cluster at all times

- Custom certificates do not eliminate the cert-manager requirement. cert-manager is mandatory even if it is not actively issuing certificates.

- You can still use user-provided certificates by creating TLS secrets manually and referencing them in the Postgres cluster spec