cert-manager — Automated X.509 Certificate Management for Kubernetes

Introduction

cert-manager is a CNCF graduated project maintained originally by Jetstack. It turns the error-prone workflow of provisioning and renewing TLS certificates into declarative Kubernetes CRDs, and it integrates with popular Ingress controllers, service meshes and internal PKIs so every workload can talk TLS without manual certificate juggling.

What cert-manager Does

• Watches Certificate, CertificateRequest, Issuer and ClusterIssuer resources
• Requests certificates from ACME (Lets Encrypt, ZeroSSL), Vault, Venafi, self-signed or private CAs
• Solves ACME HTTP-01 and DNS-01 challenges across Route53, Cloud DNS, Cloudflare, Akamai and more
• Automatically rotates, renews and re-issues certificates before expiry
• Feeds into Ingress, Gateway API, Istio and Linkerd for seamless TLS

Architecture Overview

The controller runs three main components: the cert-manager controller (reconciles Certificates), the cainjector (injects CA bundles into webhooks and APIServices), and the webhook (validates CRs). When a Certificate is created, cert-manager requests a signed cert from the referenced Issuer, stores the key material in a kubernetes.io/tls Secret, and kicks off renewal before expiry. Solvers handle ACME challenges via temporary Pods or DNS updates through cloud-provider APIs.

Self-Hosting & Configuration

• Install via Helm, static manifests or the operator-lifecycle-manager
• CRDs must be installed before or alongside the controller
• Configure (Cluster)Issuer per CA; annotate Ingress with cert-manager.io/cluster-issuer
• Use DNS-01 solvers for wildcard certs and private workloads
• Tune reconciliation via --acme-http01-solver-resource-limits and --default-issuer-*

Key Features

• Declarative certificates: requests are a Kubernetes Custom Resource, not a shell script
• Broad issuer support: ACME, Vault, Venafi, Google CAS, AWS PCA, SelfSigned, CA
• Auto-renewal with configurable pre-expiry window and backoff
• Gateway API v1 support for the next-gen Ingress model
• ApproverPolicy and approval-manager for enterprise governance

Comparison with Similar Tools

• Certbot — single-host ACME client; cert-manager is cluster-native and multi-tenant
• kube-lego — deprecated predecessor cert-manager replaced in 2018
• Traefik built-in ACME — convenient but single-controller; cert-manager is framework-agnostic
• External PKI scripts — brittle cron jobs; cert-manager exposes certs as first-class K8s objects
• HashiCorp Vault PKI alone — powerful but needs glue; cert-manager ships a Vault issuer

FAQ

Q: Does cert-manager need internet access? A: Only for ACME issuers like Lets Encrypt. Vault, self-signed and private CA issuers work fully offline.

Q: Can I use it outside Kubernetes? A: The CRDs are Kubernetes-specific, but you can use cert-manager to issue certificates for non-K8s workloads by exporting the resulting Secret.

Q: How are wildcard certs issued? A: Use a DNS-01 solver configured with credentials for a supported DNS provider; cert-manager will create/remove TXT records automatically.

Q: What happens on renewal failure? A: cert-manager retries with exponential backoff and emits Kubernetes Events plus Prometheus metrics so you can alert before the existing cert expires.

Sources

• https://github.com/cert-manager/cert-manager
• https://cert-manager.io/docs/