Why cert-manager
cert-manager automates TLS certificate management in Kubernetes — issue, renew, and rotate certificates from Let's Encrypt, Vault, Venafi, or any ACME provider. No more expired certs.
Install
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager --create-namespace \
--set crds.enabled=true
Set Up Let's Encrypt
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Request a Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: production
spec:
secretName: example-com-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
- www.example.com
Auto-TLS with Ingress Annotation
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- app.example.com
secretName: app-tls
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port:
number: 8080
Just add the annotation — cert-manager handles everything.
Key Features
- Auto-renewal — certificates renew before expiry
- ACME support — Let's Encrypt, ZeroSSL, BuyPass
- Vault integration — issue certs from HashiCorp Vault
- DNS validation — Route53, Cloudflare, Google DNS
- CNCF Graduated — production standard
Resources
Need to audit TLS certificates, extract SSL data, or monitor cert expiry? Check out my Apify tools or email spinov001@gmail.com for custom solutions.
Top comments (0)