Limited Time Offer!
For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!
Quick Definition (30โ60 words)
cert-manager is a Kubernetes-native automation tool that issues and renews TLS certificates from various issuers. Analogy: cert-manager is the automated post office that fetches, delivers, and renews encryption keys for services. Formal: It is a Kubernetes controller and CRD set that automates X.509 certificate lifecycle management.
What is cert-manager?
cert-manager is a Kubernetes controller that automates obtaining, renewing, and using TLS certificates inside Kubernetes clusters. It is NOT a certificate authority itself; instead it orchestrates ACME, CA, Vault, and other issuers to provision X.509 certificates and inject them into Kubernetes resources.
Key properties and constraints:
- Kubernetes-native: runs as controllers and uses Custom Resource Definitions (CRDs).
- Supports multiple issuers: ACME, CA, Venafi, HashiCorp Vault, and external webhook issuers.
- Manages certificate lifecycle: request, validation, issuance, renewal, and secret rotation.
- Scope: cluster or namespace level depending on resource configuration and RBAC.
- Constraint: relies on network access to issuers and DNS or HTTP validation mechanisms.
- Constraint: not a general-purpose secrets manager replacement; pairs with secret backends.
Where it fits in modern cloud/SRE workflows:
- CI/CD: automates cert provisioning during application deployment.
- Platform engineering: centralizes PKI policy and vault integrations.
- Edge and ingress: automates TLS termination for ingress controllers.
- Service mesh: automates mTLS certificates for workloads when integrated.
- Security/ops: reduces manual certificate expiry incidents and on-call load.
Diagram description (text-only):
- Users declare Certificate CRD in Kubernetes -> cert-manager controller watches CRDs -> cert-manager requests certificate from Issuer CRD -> Issuer performs validation (DNS or HTTP) -> Certificate is issued by CA/ACME/Vault -> cert-manager writes TLS secret into target namespace -> Ingress/Service picks up secret and serves TLS -> cert-manager monitors expiry and renews as needed.
cert-manager in one sentence
cert-manager is a Kubernetes controller that automates certificate issuance and lifecycle management using configurable issuers and validations.
cert-manager vs related terms (TABLE REQUIRED)
| ID | Term | How it differs from cert-manager | Common confusion |
|---|---|---|---|
| T1 | CA | CA issues certificates not orchestrates them | CA vs controller roles |
| T2 | ACME | ACME is a protocol cert-manager can use | Protocol vs controller |
| T3 | Vault | Vault is a secret store and issuer option | Secrets vs issuer confusion |
| T4 | Ingress controller | Handles traffic routing not issuance | TLS termination vs issuance |
| T5 | Service Mesh | Provides mTLS features separate from cert-manager | mTLS automation overlap |
| T6 | Secrets Manager | Stores secrets but may not automate issuance | Storage vs lifecycle |
| T7 | PKI | PKI is the broader system cert-manager integrates with | System vs tool |
| T8 | Webhook issuer | A plugin type used by cert-manager | Extensibility vs core feature |
Row Details (only if any cell says โSee details belowโ)
Not needed.
Why does cert-manager matter?
Business impact:
- Revenue and trust: Avoids expired TLS on customer-facing services which can block revenue and break user trust.
- Risk reduction: Lowers likelihood of misconfigured TLS leading to data exposure or regulatory non-compliance.
- Operational efficiency: Automates repetitive certificate tasks that otherwise require expert intervention.
Engineering impact:
- Incident reduction: Proactively renews certificates and rotates secrets to prevent certificate-expiry incidents.
- Velocity: Developers can declare certificate needs in manifests and get automated provisioning as part of GitOps.
- Standardization: Enforces PKI policy via centralized issuer configurations, reducing divergent practices.
SRE framing:
- SLIs/SLOs: TLS availability and certificate validity windows become measurable SLIs.
- Toil reduction: Removes manual certificate issuance and recurring renewals from on-call duties.
- On-call: Lowers pager volume for certificate expiration but requires monitoring of issuer availability and renewal failures.
- Error budgets: Certificate-related incidents should be accounted for when measuring service reliability; renewals and misconfigurations can consume budget.
Realistic โwhat breaks in productionโ examples:
- Ingress TLS secret expired -> customer-facing site returns browser warnings -> revenue impact during peak.
- DNS validation fails for ACME due to DNS provider API outage -> cert-manager cannot obtain certs -> new services remain HTTP only.
- Vault CA revoked intermediate -> cert-manager continues attempting renewals until issuer errors escalate -> mass certificate rotation required.
- RBAC misconfiguration prevents cert-manager from writing secrets -> certificates are issued but not deployed -> services still serve old certs.
- Multiple cert-manager instances misconfigured with different issuers -> conflicting secrets created -> intermittent TLS mismatches and client failures.
Where is cert-manager used? (TABLE REQUIRED)
| ID | Layer/Area | How cert-manager appears | Typical telemetry | Common tools |
|---|---|---|---|---|
| L1 | Edge | Automates TLS for ingress and load balancers | Cert renewals per ingress and errors | Ingress controllers |
| L2 | Network | Issues certs for gateways and proxies | TLS handshake failures | Service mesh proxies |
| L3 | Service | Provides mTLS certs to workloads | Certificate rotation events | Mesh controllers |
| L4 | Application | Injects TLS secrets into app pods | Secret update events | CI/CD pipelines |
| L5 | Platform | Central PKI orchestration for clusters | Issuer health metrics | Vault and PKI tools |
| L6 | Data | Certificates for databases and connectors | Client cert auth failures | DB clients and sidecars |
| L7 | Kubernetes | Native controller and CRDs | Controller metrics and events | kubectl and controllers |
| L8 | Serverless | Issues certs for managed endpoints | Function TLS errors | PaaS integrations |
| L9 | CI/CD | Auto-provision during deploy pipeline | Pipeline step durations | GitOps tools |
| L10 | Observability | Emits metrics and events for cert ops | Renewal latency and failures | Monitoring stacks |
Row Details (only if needed)
Not needed.
When should you use cert-manager?
When itโs necessary:
- You run services on Kubernetes and need automated TLS.
- You require ACME or Vault-based issuance integrated into cluster workflows.
- You want centralized certificate lifecycle management for many services.
When itโs optional:
- Small teams with a single static cert that rarely changes.
- When cloud provider managed TLS meets all requirements and you prefer vendor-managed flow.
When NOT to use / overuse it:
- For workloads entirely outside Kubernetes without a bridge to Kubernetes secrets.
- For ephemeral, local development where local tooling is sufficient.
- If you require specialized HSM workflows not supported by available issuers without custom integration.
Decision checklist:
- If Kubernetes + multiple services + need TLS automation -> use cert-manager.
- If single managed load balancer with provider TLS + no internal certs -> optional.
- If HSM-only issuance with restricted APIs -> consider custom controller or provider integration.
Maturity ladder:
- Beginner: Use cert-manager with ACME and a single issuer for ingress TLS.
- Intermediate: Integrate cert-manager with Vault or internal CA and automate per-namespace issuers.
- Advanced: Use multi-cluster certificate management, webhook issuers, and automated rotation tied to policy and CI/CD gates.
How does cert-manager work?
Step-by-step components and workflow:
- User defines Issuer or ClusterIssuer CRD representing an issuer configuration.
- User creates a Certificate CRD referencing the issuer and desired secret name.
- cert-manager controller watches Certificate and Issuer CRDs.
- Controller formulates a certificate request to the issuer using configured challenge type (HTTP-01, DNS-01, or others).
- Controller performs validation: creates challenge resources, manipulates DNS via DNS provider API, or configures ingress for HTTP challenge.
- Issuer responds with signed certificate; cert-manager stores the cert and key in a Kubernetes Secret.
- Applications reference the secret via Ingress, Deployment, or ServiceAccount for mTLS.
- cert-manager watches certificate expiration and triggers renewal before expiry, repeating the validation workflow.
- Events and metrics are emitted for successful and failed issuances.
Data flow and lifecycle:
- Declaration -> Request -> Validation -> Issuance -> Storage -> Rotation -> Cleanup.
- Secrets are updated atomically to allow consumers to pick up new certs with minimal disruption.
- Issuer credentials (API tokens, root keys) are stored securely in Kubernetes secrets and often backed by external secret stores.
Edge cases and failure modes:
- ACME HTTP challenge fails when ingress path conflicts.
- DNS API rate limits stop DNS-01 validation for large scale.
- RBAC prevents writing secrets; issuance may succeed but deployment fails.
- Issuer service outage (Vault) halts new requests and renewals.
Typical architecture patterns for cert-manager
- Single cluster, single issuer ACME: Simple public TLS for ingress.
- Platform issuer model: Central ClusterIssuer pointing to Vault for tenant namespaces.
- Multi-tenant per-namespace issuers: Namespaced Issuers controlled by platform teams.
- Service mesh integration: cert-manager issues mTLS certs for sidecars.
- GitOps-driven certificate declarations: Certificate CRDs stored in Git and applied via controllers.
Failure modes & mitigation (TABLE REQUIRED)
| ID | Failure mode | Symptom | Likely cause | Mitigation | Observability signal |
|---|---|---|---|---|---|
| F1 | Expired cert in use | Browser TLS warnings | Renewal failed | Investigate issuer errors and retry | Certificate expiry metric |
| F2 | DNS validation failures | ACME challenges timeout | DNS API errors or records wrong | Check DNS provider logs and rate limits | Challenge failure count |
| F3 | RBAC prevented secret write | Issued cert not deployed | Controller lacks permission | Update RoleBinding and reapply | K8s event failures |
| F4 | Issuer unavailable | Issuance requests error | Vault or CA outage | Switch to secondary issuer or failover | Issuer error rate |
| F5 | Secret rotation race | App serves old cert | Consumers not reloading secrets | Restart or ensure hot reload | Secret update events |
| F6 | Rate limits hit | ACME rejects requests | Too many requests to CA | Rate limit batching and backoff | HTTP 429 metrics |
| F7 | Conflicting controllers | Duplicate secrets | Two cert managers or webhook conflict | Consolidate controllers and RBAC | Duplicate resource events |
| F8 | Incorrect challenge ingress | HTTP challenge 404 | Ingress path misrouting | Fix ingress rules or use DNS challenge | Challenge status logs |
Row Details (only if needed)
Not needed.
Key Concepts, Keywords & Terminology for cert-manager
This glossary lists key terms with definitions, why they matter, and common pitfalls.
- Certificate โ X.509 artifact representing public key and identity โ Important for TLS and mTLS โ Pitfall: forgetting renewal windows.
- Issuer โ cert-manager CRD representing an issuer configuration โ Core for choosing where certs come from โ Pitfall: misconfigured credentials.
- ClusterIssuer โ cluster-scoped Issuer CRD โ Useful for central management โ Pitfall: overly broad RBAC.
- ACME โ Automatic Certificate Management Environment protocol โ Common for public CA issuance โ Pitfall: DNS challenges complexity.
- CA โ Certificate Authority that signs certificates โ Root of trust โ Pitfall: key compromise risk.
- Vault โ Secret management system often used as issuer โ Centralized and auditable โ Pitfall: availability dependencies.
- Webhook issuer โ Extensible issuer plugin for custom flows โ Enables bespoke PKI โ Pitfall: operator burden for security.
- Secret โ Kubernetes object storing cert and key โ How apps consume certs โ Pitfall: accidental exposure in RBAC or logs.
- CertificateRequest โ internal cert-manager CRD representing a request โ Useful for debugging request lifecycle โ Pitfall: opaque errors without logs.
- Order โ ACME term for the order lifecycle โ Shows ACME state โ Pitfall: stuck orders from failed challenges.
- Challenge โ ACME challenge object for validation โ Critical for proving domain ownership โ Pitfall: timeouts or incorrect DNS records.
- Renewals โ Process to refresh certificates before expiry โ Keeps services secure โ Pitfall: insufficient renewal lead time.
- Revoke โ Action to invalidate a certificate โ Required after compromise โ Pitfall: revocation propagation delays.
- KeyUsage โ X.509 attribute defining key purpose โ Ensures certs used correctly โ Pitfall: incorrect usages for mTLS.
- SubjectAltName โ List of authorized hostnames in cert โ Ensures host validation โ Pitfall: missing domains.
- Controller โ Kubernetes process running cert-manager logic โ Core component โ Pitfall: resource limits causing missed events.
- CRD โ Custom Resource Definition for cert-manager types โ Extends Kubernetes API โ Pitfall: CRD schema drift during upgrades.
- ACME HTTP-01 โ HTTP challenge type โ Useful for web-accessible domains โ Pitfall: ingress conflicts break validation.
- ACME DNS-01 โ DNS challenge type โ Useful for wildcard certs โ Pitfall: provider API limits and propagation delay.
- SecretName โ Name of K8s secret where cert is stored โ How apps locate certs โ Pitfall: collisions across namespaces.
- RenewBefore โ Certificate field controlling renewal threshold โ Controls renewal timing โ Pitfall: too short causes early renewals.
- Duration โ Certificate validity period โ Determines renewal cadence โ Pitfall: very short lifetimes increase load.
- Controller-runtime โ library used by cert-manager โ Implementation detail โ Pitfall: operator upgrades may require control plane compatibility.
- ChallengeSolver โ cert-manager configuration for challenge handling โ Important for automation โ Pitfall: misconfigured solvers.
- IngressShim โ legacy behavior to auto-create Certificates from Ingress โ Simplifies use โ Pitfall: implicit resources can be surprising.
- Approval โ Manual step option for issuance โ Provides control โ Pitfall: blocks automation if misused.
- SecretRotation โ Process of replacing secret contents โ Maintains key freshness โ Pitfall: consumer reload assumptions.
- Kubernetes API โ Platform cert-manager integrates with โ Provides objects and events โ Pitfall: API throttling interferes with controllers.
- Metric โ Telemetry emitted by cert-manager โ Enables observability โ Pitfall: missing metrics reduce visibility.
- Event โ Kubernetes event tied to resource lifecycle โ Useful for troubleshooting โ Pitfall: ephemeral and easily missed.
- Webhook โ Admission or issuer webhook interacting with cert-manager โ Extensible integration point โ Pitfall: securing webhooks is essential.
- TLS โ Transport Layer Security using cert-manager-managed certs โ Core security goal โ Pitfall: version/algorithm mismatches.
- mTLS โ Mutual TLS using client certs โ Strong service auth method โ Pitfall: complexity in rotation and trust anchors.
- Hot reload โ Application reload of new certs without restart โ Reduces downtime โ Pitfall: not all apps support it.
- Namespace โ K8s namespace where resources live โ Scoping unit โ Pitfall: namespace isolation causing resource visibility issues.
- RBAC โ Kubernetes role-based access control โ Secures cert-manager operations โ Pitfall: overly permissive roles.
- KeyProtection โ HSM or KMS used to protect private keys โ Increases security โ Pitfall: integration and performance impacts.
- AuditLog โ Records issuance and access events โ Essential for compliance โ Pitfall: logging sensitive fields inadvertently.
- CAChain โ Intermediate and root chain presented with cert โ Needed for trust โ Pitfall: missing chain leads to client errors.
- Autoscaler โ May interact with cert-manager when scaling controllers โ Ensures capacity โ Pitfall: not scaling during spikes causes backlog.
- LifecycleHook โ Steps tied to cert lifecycle like pre or post actions โ Useful for automation โ Pitfall: complexity and side effects.
How to Measure cert-manager (Metrics, SLIs, SLOs) (TABLE REQUIRED)
| ID | Metric/SLI | What it tells you | How to measure | Starting target | Gotchas |
|---|---|---|---|---|---|
| M1 | Certificate validity uptime | Percentage of certs valid over time | Count valid certs over total | 99.9% weekly | Needs accurate inventory |
| M2 | Renewal success rate | Percentage of renewals that succeed | Successful renewals over attempts | 99.5% | Short windows hide failures |
| M3 | Issuance latency | Time from request to issued secret | Histogram of issuance durations | P95 below 2m | ACME challenge delays skew P95 |
| M4 | Issuer error rate | Errors talking to issuer | Error count per issuer per minute | Less than 1% | External CA outages affect this |
| M5 | Secret rotation time | Time between new cert and app serving it | Observe secret update to service handshake | P95 below 1m | App hot reload required |
| M6 | Challenge failures | Number of failed ACME challenges | Failed challenges per hour | Near 0 for production | DNS propagation causes false failures |
| M7 | Controller restarts | Stability of cert-manager pods | Restart count per period | Zero unexpected restarts | OOMs cause restarts |
| M8 | Certificate age distribution | How old certs are at any time | Histogram of ages | RenewBefore satisfied with margin | Short lifetime increases churn |
| M9 | Backlog size | Pending CertificateRequests queue | Pending requests in API | Keep near 0 | API throttles lead to backlog |
| M10 | RBAC denied ops | Permission issues causing failures | Count of denied events | Zero expected | RBAC drift across clusters |
Row Details (only if needed)
Not needed.
Best tools to measure cert-manager
Tool โ Prometheus
- What it measures for cert-manager: Controller metrics, issuance counts, errors, latencies.
- Best-fit environment: Kubernetes clusters with Prometheus stack.
- Setup outline:
- Deploy cert-manager with metrics enabled.
- Configure Prometheus scrape config for cert-manager pod endpoints.
- Create alerting rules for renewal failures and high error rates.
- Store historical data for analysis.
- Strengths:
- Flexible querying and alerting.
- Ecosystem integration.
- Limitations:
- Requires maintenance and resource overhead.
- Long-term storage needs separate components.
Tool โ Grafana
- What it measures for cert-manager: Visualization of Prometheus metrics and dashboards.
- Best-fit environment: Teams needing dashboards and visualization.
- Setup outline:
- Connect Grafana to Prometheus.
- Import or build cert-manager dashboards.
- Create role-based dashboard shares.
- Strengths:
- Rich visualization and templating.
- Alerting integrations.
- Limitations:
- Dashboards need curation.
- Not a metrics storage backend.
Tool โ Kubernetes Events / kubectl
- What it measures for cert-manager: Real-time events for Certificate and Issuer resources.
- Best-fit environment: Debugging and ad-hoc troubleshooting.
- Setup outline:
- Use kubectl describe and get events.
- Use event exporters for long-term capture.
- Strengths:
- Immediate and precise resource insight.
- Limitations:
- Events are ephemeral; need exporting for history.
Tool โ Alertmanager
- What it measures for cert-manager: Alert routing and deduplication for Prometheus alerts.
- Best-fit environment: Teams with alerting and on-call rotation.
- Setup outline:
- Configure routes and receivers for cert-manager alerts.
- Group alerts by team and service.
- Strengths:
- Flexible routing and silencing.
- Limitations:
- Misconfig can cause noisy pages.
Tool โ HashiCorp Vault metrics
- What it measures for cert-manager: Issuer-level metrics when Vault is used.
- Best-fit environment: Vault-backed PKI issuers.
- Setup outline:
- Enable Vault metrics and collect them via Prometheus.
- Correlate Vault errors with cert-manager events.
- Strengths:
- Visibility into issuer internals.
- Limitations:
- Dependent on Vault version and exporter.
Recommended dashboards & alerts for cert-manager
Executive dashboard:
- Panel: Total valid certificates vs total certificates โ Shows high-level health.
- Panel: Renewal success rate last 30d โ Business-facing reliability.
- Panel: Critical services with expiring certs in 7d โ Risk report.
On-call dashboard:
- Panel: Recent renewal failures and counts by issuer โ Immediate troubleshooting.
- Panel: Controller pod restarts and errors โ Operational stability.
- Panel: Pending CertificateRequests and backlog โ Incident triage.
- Panel: Top services with secret rotation delay โ Prioritize fixes.
Debug dashboard:
- Panel: Per-certificate issuance latency histogram โ Pinpoint slow requests.
- Panel: ACME challenge statuses and logs โ Validate challenge failures.
- Panel: DNS provider API error rates โ Correlate DNS issues.
- Panel: Secret update events with timestamp diffs โ Trace rotation issues.
Alerting guidance:
- Page vs ticket: Page for global certificate expiry impacting many users or public sites; ticket for single non-critical service.
- Burn-rate guidance: If renewal failures exceed baseline and error budget consumption is high, escalate; use a short burn-rate window for certificate incidents because they can escalate quickly.
- Noise reduction tactics: Group related alerts by issuer and service; dedupe alerts across clusters; use suppression during planned maintenance.
Implementation Guide (Step-by-step)
1) Prerequisites – Kubernetes cluster with RBAC and CRD support. – DNS provider API credentials or Vault/CA access. – Monitoring stack for metrics and alerts. – GitOps or CI/CD pipeline for manifest management.
2) Instrumentation plan – Enable cert-manager metrics in deployment. – Add Prometheus scrape config for cert-manager endpoints. – Export Kubernetes events to observability pipeline.
3) Data collection – Collect metrics: issuance latency, errors, renewals. – Collect logs from cert-manager controllers. – Export events and CertificateRequest resources.
4) SLO design – Define SLI: percentage of customer-facing ingress with valid certs. – Set SLO: e.g., 99.9% monthly for public endpoints (example starting point). – Define error budget and escalation policy.
5) Dashboards – Build executive, on-call, and debug dashboards as described above. – Add per-issuer views for teams that own issuers.
6) Alerts & routing – Alert on renewal failure rate, expiring certificates in 7 and 48 hours, and issuer unavailability. – Route critical pages to platform on-call; lower severity to platform slack.
7) Runbooks & automation – Create runbooks for common incidents: failed DNS challenge, RBAC denied, issuer outage. – Automate common remediations: reapply RBAC, recreate DNS entries, switch issuer.
8) Validation (load/chaos/game days) – Run load tests to validate DNS provider rate limits. – Simulate issuer outage and validate failover. – Run game days for certificate expiration scenarios.
9) Continuous improvement – Review postmortems for certificate incidents. – Tune RenewBefore and Duration for operational cost. – Add automation for rare manual approval steps if safe.
Pre-production checklist
- CRDs applied and controller running.
- Issuer test certificate can be issued.
- Metrics scraping confirmed.
- RBAC scoped and tested.
- DNS and issuer credentials present and valid.
Production readiness checklist
- Renewal alerts configured for 7 and 48 hours.
- On-call runbooks completed and accessible.
- Backup issuer or failover plan validated.
- Secret rotation tested with sample workloads.
- Security review of issuer credentials and access.
Incident checklist specific to cert-manager
- Identify affected certificates and services.
- Check cert-manager logs and CertificateRequest resources.
- Verify issuer health and DNS provider status.
- Apply mitigation: reissue, switch issuer, or manual secret injection.
- Update postmortem with root cause and prevention.
Use Cases of cert-manager
1) Public website TLS automation – Context: Hosting multiple domains. – Problem: Manual renewals cause expirations. – Why cert-manager helps: ACME automation for issuance and renewal. – What to measure: Renewal success rate and expiry lead time. – Typical tools: ACME issuer, Ingress controller, Prometheus.
2) Ingress TLS for multi-tenant clusters – Context: Platform hosts tenant apps. – Problem: Tenant-specific certs management at scale. – Why cert-manager helps: Namespace-scoped Issuers and automation. – What to measure: Issuance latency and failure per tenant. – Typical tools: ClusterIssuer, GitOps.
3) Service mesh mTLS certificates – Context: Sidecars require short-lived client certs. – Problem: Manual certificate rotation for sidecars. – Why cert-manager helps: Automates mTLS certificate lifecycle. – What to measure: Rotation success rate and sidecar handshake errors. – Typical tools: cert-manager, mesh control plane.
4) Internal PKI with Vault – Context: Enterprise internal CA. – Problem: Central CA signing and audit requirements. – Why cert-manager helps: Bridges Kubernetes workloads to Vault. – What to measure: Vault errors and certificate audit logs. – Typical tools: Vault issuer, Prometheus.
5) Database client certificates – Context: Enforce client cert auth for DBs. – Problem: Provisioning and rotating client certs is manual. – Why cert-manager helps: Automates client cert issuance to secrets used by DB clients. – What to measure: DB auth failures and rotation latency. – Typical tools: cert-manager, DB clients, sidecars.
6) Certificate issuance via GitOps – Context: Infrastructure declared in Git. – Problem: Certificates need to be reproducible from manifests. – Why cert-manager helps: Certificate CRDs persisted in Git allow automated issuance. – What to measure: Drift between Git and cluster state and issuance success. – Typical tools: ArgoCD, Flux.
7) Canary deployments with cert rotation – Context: Rolling updates must preserve TLS availability. – Problem: Secret rotation causing errors during rollout. – Why cert-manager helps: Atomic secret updates support canaries. – What to measure: Secret rotation timing and successful handshake counts. – Typical tools: cert-manager, deployment controllers.
8) Serverless endpoints TLS – Context: Managed functions need valid TLS. – Problem: Provider-managed TLS lacking integration with internal certs. – Why cert-manager helps: Issues certs for custom domains attached to serverless. – What to measure: Renewal rates and custom domain availability. – Typical tools: cert-manager, platform provider integrations.
Scenario Examples (Realistic, End-to-End)
Scenario #1 โ Kubernetes ingress TLS for multi-domain
Context: Platform hosts dozens of public services across domains.
Goal: Automate TLS issuance and renewal without manual steps.
Why cert-manager matters here: Eliminates manual cert tracking and prevents expiry incidents.
Architecture / workflow: Ingress -> cert-manager ACME issuer -> DNS-01 via provider -> Secret populated -> Ingress references secret.
Step-by-step implementation:
- Install cert-manager CRDs and controller.
- Configure ClusterIssuer with ACME and DNS provider credentials.
- Create Certificate CRDs per ingress or configure IngressShim to auto-create.
- Monitor issuance and set alerts for failures.
What to measure: Renewal success rate, issuance latency, DNS challenge failures.
Tools to use and why: cert-manager for issuance, DNS provider API, Prometheus/Grafana for metrics.
Common pitfalls: DNS propagation delays and provider rate limits.
Validation: Deploy test hostnames and confirm HTTPS served, simulate DNS delays in staging.
Outcome: Reduced certificate incidents and automated renewal.
Scenario #2 โ Serverless managed PaaS custom domain TLS
Context: Team uses managed PaaS with custom domains attached to functions.
Goal: Provision certificates for custom domains automatically.
Why cert-manager matters here: Bridges Kubernetes-based cert automation to PaaS-managed endpoints via DNS challenges.
Architecture / workflow: PaaS function uses custom domain -> DNS-01 challenge via cert-manager -> Cert stored in K8s secret -> External process uploads cert to provider or provider picks it up.
Step-by-step implementation:
- Use DNS-01 with provider DNS API configured in ClusterIssuer.
- Automate a small bridge process to push secrets to PaaS if required.
- Monitor and rotate certs programmatically.
What to measure: Custom domain TLS availability and secret sync success.
Tools to use and why: cert-manager, DNS provider, small integration operator for sync.
Common pitfalls: Provider API gaps for automated cert upload.
Validation: End-to-end test custom domain and cert sync.
Outcome: Automatic TLS for serverless custom domains with low ops overhead.
Scenario #3 โ Incident response: expired cert in production
Context: Production website served TLS terminated by ingress; cert expired unexpectedly.
Goal: Restore HTTPS fast and prevent repeat.
Why cert-manager matters here: Detect renewal failure causes and fix automation.
Architecture / workflow: Inspect cert-manager events -> examine CertificateRequest -> check issuer and DNS provider.
Step-by-step implementation:
- Triage using cert-manager logs and events.
- If DNS challenge failed, update DNS or switch to HTTP challenge if applicable.
- If RBAC blocked secret write, fix RoleBinding and reapply Certificate.
- Reissue certificate manually if necessary and update secret.
What to measure: Time to restore TLS, root cause categories, recurrence rate.
Tools to use and why: kubectl for events, Prometheus for alert, logs for details.
Common pitfalls: Manual fixes not codified leading to repeat incidents.
Validation: Postmortem and test change in staging.
Outcome: Restored TLS and improved CI/CD automation to prevent repeat.
Scenario #4 โ Cost vs performance trade-off: short-lived mTLS certs
Context: Service mesh uses short-lived client certs for strong security.
Goal: Balance increased issuance load with security goals.
Why cert-manager matters here: Automates frequent issuances and rotations.
Architecture / workflow: cert-manager issues short-lived certs to sidecars via Issuer or webhook -> sidecars rotate frequently.
Step-by-step implementation:
- Configure Issuer with short Duration and RenewBefore.
- Monitor issuance latency and issuer load.
- Implement batching or caching where appropriate.
What to measure: Issuance rate, issuer error rate, CPU/network impact.
Tools to use and why: Prometheus for metrics, observability to measure issuance churn.
Common pitfalls: Hitting CA rate limits and increased operation cost.
Validation: Load tests simulating rotation frequency and measure performance/cost.
Outcome: Optimal lifetime balancing security and cost.
Common Mistakes, Anti-patterns, and Troubleshooting
List of common mistakes with symptom -> root cause -> fix:
- Symptom: Certificates expiring in production -> Root cause: RenewBefore too small or renewals failing -> Fix: Increase RenewBefore and fix renewal failures.
- Symptom: ACME HTTP challenge 404 -> Root cause: Ingress path misrouting or conflicting rules -> Fix: Correct ingress rules or use DNS-01.
- Symptom: DNS challenge never validated -> Root cause: DNS provider API rate limits or propagation -> Fix: Implement rate limiting, retry backoff, or use alternate provider.
- Symptom: Issued cert not visible to app -> Root cause: RBAC prevents secret creation or wrong secret name -> Fix: Grant permissions and align secret names.
- Symptom: Duplicate secrets created -> Root cause: Multiple controllers or misconfigured ClusterIssuer -> Fix: Consolidate controllers and ensure single issuer per workflow.
- Symptom: High issuance latency -> Root cause: Slow DNS propagation or issuer overload -> Fix: Optimize solver; add secondary issuer or caching.
- Symptom: Frequent controller restarts -> Root cause: Resource limits or OOM -> Fix: Increase resource limits and fix memory leaks.
- Symptom: Secret update not causing app reload -> Root cause: App lacks hot reload support -> Fix: Implement lifecycle hooks or sidecar reload.
- Symptom: ACME 429 errors -> Root cause: Rate limits on CA -> Fix: Use staging for tests and throttle requests in automation.
- Symptom: Vault issuing unexpected certs -> Root cause: Vault role misconfiguration -> Fix: Validate Vault roles and policies.
- Symptom: Events absent for failed requests -> Root cause: Event TTL and missing exporters -> Fix: Export events to durable store.
- Symptom: Alerts noisy with duplicates -> Root cause: Alerts firing per-certificate without grouping -> Fix: Group alerts by issuer or service.
- Symptom: Secrets leaked to logs -> Root cause: Misconfigured logging or controllers exposing secrets -> Fix: Mask secrets and set logging levels.
- Symptom: CertificateRequest stuck pending -> Root cause: Approval required or webhook failure -> Fix: Approve or fix webhook health.
- Symptom: Applications use wrong SAN -> Root cause: Certificate spec missing SAN entries -> Fix: Update Certificate CRD to include required SANs.
- Symptom: Manual rotation interrupts traffic -> Root cause: Non-atomic secret updates -> Fix: Use atomic secret replacement and coordinate reloads.
- Symptom: Post-deployment TLS failures -> Root cause: Race between deployment and cert issuance -> Fix: Gate rollouts on certificate readiness.
- Symptom: Observability gaps -> Root cause: Missing metrics or exporters -> Fix: Enable cert-manager metrics and event exporters.
- Symptom: Too many short-lived certs -> Root cause: Overly aggressive Duration setting -> Fix: Evaluate security trade-offs and increase duration.
- Symptom: Cross-namespace secret access failure -> Root cause: Namespace isolation -> Fix: Use proper secrets or service account token exchange.
- Symptom: Webhook issuer insecure -> Root cause: Missing TLS for webhooks -> Fix: Secure webhooks and manage certificates for webhook server.
- Symptom: Inconsistent behavior across clusters -> Root cause: Different issuer configs -> Fix: Standardize issuer CRDs via GitOps.
- Symptom: Certificate revocation not propagated -> Root cause: Revocation checks not enforced by clients -> Fix: Update client revocation checking policies and CRL distribution.
Observability pitfalls (at least five included above):
- Missing metrics for issuance latency.
- Events not exported and lost.
- Alerts not grouped causing noise.
- Logs exposing secrets.
- Missing correlation between issuer and cert-manager metrics.
Best Practices & Operating Model
Ownership and on-call:
- Platform team owns cert-manager controllers and ClusterIssuer.
- Service teams own Certificate CRDs for their services.
- Establish on-call rotation with playbooks and escalation paths.
Runbooks vs playbooks:
- Runbook: Step-by-step procedures for specific, repeatable tasks (renewals, DNS fix).
- Playbook: Higher-level guidance for complex incidents that require judgement (issuer compromise).
Safe deployments:
- Canary cert-manager upgrades with a single-node rollout.
- Use canary ClusterIssuer for testing new issuers.
- Rollback by restoring previous controller and CRD versions.
Toil reduction and automation:
- Automate common remediations like RBAC reapplication.
- Create GitOps policies for Certificate CRDs to avoid drift.
- Use webhook issuers for specialized automation.
Security basics:
- Protect issuer credentials with KMS or Vault and minimal RBAC.
- Rotate issuer keys periodically.
- Monitor for unusual issuance patterns as potential compromise indicator.
Weekly/monthly routines:
- Weekly: Check expiring certificates within 30 days.
- Monthly: Review issuance error trends and issuer health.
- Quarterly: Rotate issuer credentials and audit RBAC.
Postmortem review items related to cert-manager:
- Time to detect and remediate certificate incidents.
- Root cause of issuance failures.
- Whether automation failed and why.
- Changes required to RenewBefore and Duration.
- Lessons on monitoring, alerts, and runbook effectiveness.
Tooling & Integration Map for cert-manager (TABLE REQUIRED)
| ID | Category | What it does | Key integrations | Notes |
|---|---|---|---|---|
| I1 | Monitoring | Collects metrics and alerts | Prometheus Grafana Alertmanager | Central for SRE workflows |
| I2 | DNS Provider | Updates DNS records for DNS-01 | External DNS APIs | Rate limits matter |
| I3 | Secret Store | Houses issuer credentials | Vault KMS | Secure key management |
| I4 | CI/CD | Deploys cert resources | GitOps tools | Ensures declarative state |
| I5 | Ingress | Terminates TLS for traffic | NGINX Traefik CloudLB | Consumes TLS secrets |
| I6 | Service Mesh | Distributes mTLS certs | Sidecars Control Plane | Short-lived cert management |
| I7 | CA / PKI | Signs certificates | Internal CA External CA | Key compromise policies needed |
| I8 | Webhook Issuer | Custom issuance logic | Custom APIs | Requires secure deployment |
| I9 | Log Aggregation | Centralizes controller logs | ELK Loki | Useful for debugging |
| I10 | Secret Rotation | Automates secret sync | Operators and scripts | Needed for external systems |
Row Details (only if needed)
Not needed.
Frequently Asked Questions (FAQs)
What issuers does cert-manager support?
Supports ACME, CA, Vault, Venafi, and webhook issuers; specifics depend on version and deployment.
Can cert-manager act as a CA?
No. cert-manager orchestrates issuers; it does not act as a trust root by itself.
How does cert-manager renew certificates?
It watches certificate objects and triggers new CertificateRequest workflows before expiry based on RenewBefore.
Is cert-manager secure by default?
It provides secure defaults but requires secure issuer credential storage and proper RBAC configuration.
Can cert-manager issue wildcard certificates?
Yes via DNS-01 ACME challenges when the DNS provider supports programmatic updates.
How to handle secrets for issuers?
Store issuer credentials in Kubernetes secrets and consider using external KMS or Vault for added security.
What happens if the issuer is down?
Issuance and renewals fail; plan failover issuers or manual contingency to prevent expiry.
How long does issuance take?
Varies: from seconds for internal CA to minutes for ACME depending on DNS propagation and challenge type.
Can cert-manager work across multiple clusters?
Each cluster runs its own cert-manager instance; central PKI requires coordination with external issuers.
How to debug failed issuance?
Check CertificateRequest and Challenge resources, cert-manager logs, and issuer logs for error details.
Should I use Namespace Issuers or ClusterIssuer?
Namespace Issuers are for per-namespace control; ClusterIssuer is for centralized platform-managed issuance.
Does cert-manager rotate keys automatically?
Yes when certificates are renewed; private keys are usually regenerated unless reuse is configured.
How to prevent hitting CA rate limits?
Use staging for tests, batch requests, and apply rate limiting in automation workflows.
Does cert-manager integrate with service meshes?
Yes; it can issue mTLS certs for sidecars when integrated with mesh control planes.
How to secure webhooks for custom issuers?
Use HTTPS with valid certs and restrict network access and RBAC policies.
Are certificate secrets encrypted at rest?
Depends on Kubernetes cluster configuration; use KMS integrations for stronger guarantees.
Can cert-manager be used with HSM?
Varies / depends.
How to test cert-manager safely?
Use ACME staging environment and test DNS challenge flows in isolated namespaces.
Conclusion
cert-manager automates certificate lifecycle management in Kubernetes environments, reducing manual toil and preventing TLS outages. It integrates with ACME, Vault, and other PKI systems and fits into platform and SRE workflows by providing declarative certificate management and telemetry.
Next 7 days plan:
- Day 1: Install cert-manager in a staging cluster and enable metrics.
- Day 2: Configure a ClusterIssuer with ACME staging and test DNS-01.
- Day 3: Create Certificate CRDs for a sample ingress and validate issuance.
- Day 4: Add Prometheus scraping and Grafana dashboard templates.
- Day 5: Implement alerts for expiring certs and renewal failures.
- Day 6: Run a game day simulating DNS provider failure and observe behavior.
- Day 7: Review RBAC and secret storage practices and create runbooks.
Appendix โ cert-manager Keyword Cluster (SEO)
Primary keywords
- cert-manager
- cert manager Kubernetes
- cert-manager ACME
- cert-manager tutorial
- cert-manager guide
Secondary keywords
- Certificate automation
- Kubernetes TLS management
- ClusterIssuer
- Certificate CRD
- ACME DNS-01
Long-tail questions
- How to install cert-manager on Kubernetes
- How cert-manager renews certificates automatically
- cert-manager vs Vault for certificates
- How to debug cert-manager ACME challenges
- Best practices for cert-manager in production
- How to configure DNS-01 challenge with cert-manager
- How to integrate cert-manager with service mesh
- Using cert-manager with HashiCorp Vault
- cert-manager metrics to monitor
- How to handle cert-manager RBAC issues
Related terminology
- ACME protocol
- CertificateRequest resource
- Certificate CRD
- ClusterIssuer vs Issuer
- HTTP-01 challenge
- DNS-01 challenge
- RenewBefore
- Duration
- Secret rotation
- mTLS automation
- PKI orchestration
- Webhook issuer
- Ingress TLS
- Vault issuer
- CA chain
- Key protection
- KMS integration
- GitOps certificate management
- Observability for cert-manager
- Prometheus metrics for cert-manager
- Grafana dashboards for cert-manager
- Alertmanager for cert alerts
- Rate limits ACME
- DNS provider API
- Certificate revocation
- Certificate lifecycle
- Certificate expiry alert
- Controller CRDs
- SecretName in certs
- Namespace-scoped issuer
- Atomic secret update
- Hot reload certificates
- Service mesh mTLS
- Issuer health checks
- Certificate issuance latency
- Renewal success rate
- Certificate backlog
- Kubernetes events for certs
- Audit logging for certificate issuance
- CA compromise response
Leave a Reply