IT Get in touch

cert-manager: automatic TLS for Kubernetes

cert-manager (March 2017, Jetstack) by Jetstack: Kubernetes controller for TLS automation. Let's Encrypt/ACME, Vault, HashiCorp, internal CAs, DNS-01 wildcard.

Open SourceCybersecurity
Open SourceCybersecurity cert-managerJetstackKubernetesTLSLet's EncryptACMECNCFOpen Source
CyberScan

CyberScan

Platform for automated vulnerability assessment, threat intelligence and continuous security posture management.

Discover →

Manual TLS is broken

In Kubernetes, managing TLS certificates manually is impractical: dozens of Ingresses, different hostnames, expirations, renewals, multi-tenant. Operators want a declarative flow: add an annotation or CRD, the cluster obtains and renews the certificate.

The release

cert-manager is published by Jetstack (UK) in March 2017. Lead: James Munnelly. Written in Go, Apache 2.0 licence.

How it works

Three fundamental CRDs:

  • Issuer / ClusterIssuer — defines an authority (Let’s Encrypt, Vault, private CA, Venafi TPP/TLSPDC)
  • Certificate — certificate request for one or more DNS SANs
  • CertificateRequest / Order / Challenge — internal ACME flow
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata: { name: letsencrypt-prod }
spec:
  acme:
    email: ops@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef: { name: le-prod-key }
    solvers:
      - http01: { ingress: { class: nginx } }

On Ingresses just the annotation cert-manager.io/cluster-issuer: letsencrypt-prod and cert-manager automatically issues/renews certificates in TLS Secret.

Features

  • ACME HTTP-01 and DNS-01 — DNS-01 required for wildcards
  • DNS providers 50+ (Route53, Cloudflare, Azure DNS, GCP, OVH, DigitalOcean, etc.)
  • Vault issuer — HashiCorp Vault PKI
  • Venafi — enterprise CA
  • Self-signed / CA — internal CAs
  • Automatic renewal — within configurable window
  • mTLS — for Istio, Linkerd integration

Ecosystem integration

  • Ingress NGINX, Traefik, Contour, HAProxy Ingress
  • Istio (gateway), Linkerd (mTLS)
  • External DNS — combination for auto-DNS + TLS

Alternatives

  • Traefik ACME — built into Traefik, fewer features
  • Caddy — auto-HTTPS, but outside K8s native
  • kube-lego — predecessor, deprecated
  • EKS ACM, GKE Managed Certs — cloud-specific

In the Italian context

cert-manager is becoming the reference choice for Kubernetes TLS in Italian companies moving K8s to production: multi-tenant B2B SaaS with Let’s Encrypt DNS-01 wildcard, banks with internal CAs via Vault issuer, digital PA with certificates issued by AgID-CAs, MSPs and hosting providers with Kubernetes-as-a-Service.

References: cert-manager (Jetstack, March 2017). James Munnelly. Apache 2.0 licence. ACME, Vault, Venafi, private CA issuer. DNS-01 wildcard support.

Need support? Under attack? Service Status
Need support? Under attack? Service Status