IT Get in touch

cert-manager: automatic TLS for Kubernetes

cert-manager (March 2017, Jetstack, donated CNCF 2020) by Jetstack: Kubernetes controller for TLS automation. Let's Encrypt/ACME, Vault, HashiCorp, internal CAs, DNS-01 wildcard. CNCF graduated 2024.

Open SourceCyber Security
Open SourceCyber Security cert-managerJetstackKubernetesTLSLet's EncryptACMECNCFOpen Source
CyberScan

CyberScan

Platform for automated vulnerability assessment, threat intelligence and continuous security posture management.

Discover →

Manual TLS is broken

In Kubernetes, managing TLS certificates manually is impractical: dozens of Ingresses, different hostnames, expirations, renewals, multi-tenant. Operators want a declarative flow: add an annotation or CRD, the cluster obtains and renews the certificate.

The release

cert-manager is published by Jetstack (UK, acquired by Venafi in 2020) in March 2017. Lead: James Munnelly. Written in Go, Apache 2.0 licence. Donated to CNCF in 2020, incubating since 2022, graduated on 12 November 2024 (KubeCon NA Salt Lake City).

How it works

Three fundamental CRDs:

  • Issuer / ClusterIssuer — defines an authority (Let’s Encrypt, Vault, private CA, Venafi TPP/TLSPDC)
  • Certificate — certificate request for one or more DNS SANs
  • CertificateRequest / Order / Challenge — internal ACME flow
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata: { name: letsencrypt-prod }
spec:
  acme:
    email: ops@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef: { name: le-prod-key }
    solvers:
      - http01: { ingress: { class: nginx } }

On Ingresses just the annotation cert-manager.io/cluster-issuer: letsencrypt-prod and cert-manager automatically issues/renews certificates in TLS Secret.

Features

  • ACME HTTP-01 and DNS-01 — DNS-01 required for wildcards
  • DNS providers 50+ (Route53, Cloudflare, Azure DNS, GCP, OVH, DigitalOcean, etc.)
  • Vault issuer — HashiCorp Vault PKI
  • Venafi — enterprise CA
  • Self-signed / CA — internal CAs
  • Automatic renewal — within configurable window
  • mTLS — for Istio, Linkerd integration

Ecosystem integration

  • Ingress NGINX, Traefik, Contour, HAProxy Ingress
  • Istio (gateway), Linkerd (mTLS)
  • Gateway API (K8s native, GA 2023)
  • External DNS — combination for auto-DNS + TLS
  • ArgoCD/Flux — declarative management with GitOps

Alternatives

  • Traefik ACME — built into Traefik, fewer features
  • Caddy — auto-HTTPS, but outside K8s native
  • kube-lego — predecessor, deprecated
  • EKS ACM, GKE Managed Certs — cloud-specific

In the Italian context

cert-manager is the de facto standard for Kubernetes TLS in Italian companies:

  • B2B SaaS multi-tenant with Let’s Encrypt DNS-01 wildcard
  • Banks with internal CAs (Vault issuer)
  • Digital PA with certificates issued by AgID-CAs
  • MSPs managing K8s for clients
  • Italian hosting providers with Kubernetes-as-a-Service

The use of Let’s Encrypt DNS-01 via cert-manager is almost ubiquitous where K8s is in prod.

References: cert-manager (Jetstack, March 2017). James Munnelly. Apache 2.0 licence. Venafi owner since 2020. CNCF graduated (12 November 2024, KubeCon NA). ACME, Vault, Venafi, private CA issuer. DNS-01 wildcard support.

Need support? Under attack? Service Status
Need support? Under attack? Service Status