Esta página se muestra en inglés. Una traducción al español está en curso.

SkillsApr 15, 2026·3 min de lectura

cert-manager — Automated X.509 Certificate Management for Kubernetes

cert-manager is a cloud-native controller that issues, renews and rotates TLS certificates from Let's Encrypt, HashiCorp Vault, a private PKI or any ACME-compatible issuer, entirely through Kubernetes resources.

AI Open Source · Community

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir

Superficie agent

Cualquier agent MCP/CLI

Tipo

Skill

Instalación

Single

Confianza

Confianza: Established

Entrada

cert-manager Controller

Comando de instalación directa

npx -y tokrepo@latest install 7cc65aaa-38e6-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

TL;DR

cert-manager issues, renews, and rotates TLS certificates on Kubernetes through declarative CRDs and ACME automation.

§01

What it is

cert-manager is a cloud-native Kubernetes controller that automates the issuance, renewal, and rotation of X.509 TLS certificates. It integrates with certificate authorities like Let's Encrypt, HashiCorp Vault, Venafi, and any ACME-compatible issuer. Certificates are managed through Kubernetes custom resources, making TLS configuration declarative and version-controlled.

The tool targets platform engineers and DevOps teams who manage HTTPS endpoints on Kubernetes and want to eliminate manual certificate management.

§02

How it saves time or tokens

Without cert-manager, teams manually generate certificates, track expiration dates, and coordinate renewal across services. cert-manager automates the entire lifecycle: it requests certificates when Ingress resources are created, renews them before expiration, and stores them as Kubernetes Secrets. This eliminates certificate-related outages caused by forgotten renewals and reduces the operational overhead of TLS management to zero ongoing effort.

§03

How to use

Install cert-manager with Helm:

helm repo add jetstack https://charts.jetstack.io && helm repo update
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager --create-namespace \
  --set crds.enabled=true

Create a ClusterIssuer for Let's Encrypt:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

Annotate your Ingress to request a certificate:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - app.example.com
      secretName: app-tls

§04

Example

# Request a certificate directly via Certificate resource
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: api-cert
  namespace: production
spec:
  secretName: api-tls

  renewBefore: 360h  # renew 15 days before expiry
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - api.example.com
    - api-v2.example.com

§05

Related on TokRepo

DevOps tools directory -- Infrastructure automation and CI/CD tools
Security tools -- Certificate and security management solutions

§06

Common pitfalls

Using the Let's Encrypt staging server for testing but forgetting to switch to production; staging certificates are not trusted by browsers
DNS-01 challenges require cloud provider credentials with DNS write access; missing IAM permissions cause silent validation failures
Rate limits on Let's Encrypt production (50 certificates per registered domain per week) can block high-volume issuance

Preguntas frecuentes

What certificate authorities does cert-manager support?+

cert-manager supports Let's Encrypt (ACME), HashiCorp Vault, Venafi, and any CA that implements the ACME protocol. It also supports self-signed certificates and custom CA issuers for internal PKI. Third-party issuers can be added via the external issuer interface.

How does cert-manager handle certificate renewal?+

cert-manager monitors certificate expiration dates and triggers renewal automatically before the certificate expires. The renewBefore field controls how early renewal starts. By default, certificates are renewed when two-thirds of their validity period has elapsed.

Does cert-manager work with Ingress controllers other than Nginx?+

Yes. cert-manager works with Nginx, Traefik, HAProxy, Istio, and any Ingress controller that reads TLS secrets from Kubernetes. The integration is through annotations on Ingress resources or direct Certificate custom resources.

What is the difference between Issuer and ClusterIssuer?+

An Issuer is namespace-scoped and can only issue certificates within its namespace. A ClusterIssuer is cluster-wide and can issue certificates in any namespace. Use ClusterIssuer for shared CAs like Let's Encrypt, and Issuer for namespace-specific private CAs.

Can cert-manager handle wildcard certificates?+

Yes, but wildcard certificates require DNS-01 challenge validation, not HTTP-01. You need to configure a DNS provider (Route53, CloudFlare, Google Cloud DNS, etc.) with appropriate API credentials for cert-manager to create the required TXT records.

Referencias (3)

cert-manager GitHub— cert-manager automates certificate lifecycle on Kubernetes
cert-manager Documentation— Supports ACME, Vault, Venafi, and custom issuers
Let's Encrypt Rate Limits— Let's Encrypt rate limits for production use

Relacionados en TokRepo

DevOps tools Security tools Featured workflows

Discusión

Inicia sesión para unirte a la discusión.

Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados

step-ca — Private Certificate Authority for DevOps

step-ca is an open-source online Certificate Authority for secure automated certificate management. It provides ACME, SSH certificates, and mTLS for internal infrastructure — enabling TLS everywhere and SSO for SSH in your organization.

Skills

AI Open Source

Keel — Automated Kubernetes Workload Updates

Keel is a Kubernetes operator that automates Helm, DaemonSet, StatefulSet, and Deployment updates when new container images are pushed to a registry, with approval workflows and notification support.

Skills

AI Open Source

Radarr — Automated Movie Collection Manager

A movie collection manager for Usenet and BitTorrent users. Radarr monitors for new releases, downloads movies, sorts files, and upgrades quality automatically.

Skills

AI Open Source

Nix — Purely Functional Package Manager for Reproducible Builds

Nix is a cross-platform package manager that uses a purely functional approach to dependency management. Every package is built in isolation with pinned dependencies, enabling reproducible builds, atomic upgrades, and easy rollbacks across Linux and macOS.

Skills

AI Open Source