Customers deploying Valkey Operator on Kubernetes have raised concerns about the mandatory use of cert-manager in the setup.

In certain environments, Cert-Manager is not preferred due to:

• Lack of internal support
• Additional maintenance and upgrade overhead
• Restrictions against using self-signed certificates, even for internal cluster communication

As a result, customers may request an option to disable Cert-Manager and are seeking clarity on why it is required.

Additionally, there is a need to understand what data is transmitted through the Valkey Operator webhook during resource creation or updates.

1. Webhook Data Transmission Clarification

When a user creates or updates a Valkey Custom Resource:

• The Kubernetes API server intercepts the request.
• It sends the resource definition to the operator’s webhook service over HTTPS.
• The operator:
  • Applies default values (Mutating Webhook)
  • Validates configuration (Validating Webhook)
• Only the resource specification (YAML/CR data) is transmitted.

No user application data or runtime data is transmitted—only configuration metadata required for validation and mutation. 

2. Why Cert-Manager is Required

Kubernetes enforces a strict rule:

All Admission Webhooks must be served over HTTPS

Because of this:

• The Valkey Operator must present a valid TLS certificate to start and function.
• This certificate is used by the API server to securely communicate with the webhook.

To automate certificate provisioning and lifecycle management, the operator relies on:

• cert-manager

Without a certificate:

• The webhook cannot be registered or invoked
• The operator will fail to function correctly. 

- At present, Cert-Manager is a required dependency for Valkey Operator due to Kubernetes webhook security requirements.

- There is no supported option to disable Cert-Manager today.

- R&D is checking the feasibility of disabling Cert-Manager which is under evaluation.