Quick Guide to cert-manager: Managing K8s Machine Identities 

What Is cert-manager?

cert-manager is an open-source Kubernetes add-on that automates the management and issuance of x.509 certificates. It simplifies the process of securing applications by automatically obtaining and renewing TLS certificates from various certificate authorities (CAs). 

This tool ensures that certificates are always up-to-date and valid, which is crucial for maintaining secure communications within a Kubernetes cluster.

cert-manager has over 11K GitHub stars, over 440 contributors, and has been managed by the Cloud Native Computing Foundation (CNCF) since 2020. In 2022, it was moved to the Incubating maturity level.

You can get cert-manager from the official GitHub repo.

Image source: GitHub

This is part of a series of articles about Kubernetes management

The Need for cert-manager: How Are x.509 Certificates and Machine Identities Used in K8s? 

x.509 certificates and machine identities help ensure data integrity and confidentiality by encrypting the data transmitted between services in a Kubernetes cluster. Machine identities are used by devices and applications to prove their authenticity in automated processes, with x.509 certificates serving as proof. 

Managing these certificates manually can be cumbersome and error-prone, especially considering that Kubernetes clusters are dynamic environments where services are frequently created and updated.

cert-manager is a Kubernetes add-on that automates the management and issuance of these certificates. By integrating directly with Kubernetes, cert-manager simplifies the process of obtaining, renewing, and deploying certificates from various certificate authorities (CAs). This automation reduces the administrative burden on developers and operators, ensuring that services within the cluster always have up-to-date and valid certificates.

expert-icon-header

Tips from the expert

Itiel Shwartz

Co-Founder & CTO

Itiel is the CTO and co-founder of Komodor. He’s a big believer in dev empowerment and moving fast, has worked at eBay, Forter and Rookout (as the founding engineer). Itiel is a backend and infra developer turned “DevOps”, an avid public speaker that loves talking about things such as cloud infrastructure, Kubernetes, Python, observability, and R&D culture.

In my experience, here are tips that can help you better manage K8s machine identities with cert-manager:

Utilize Issuer and ClusterIssuer

Use `Issuer` for namespace-specific certificates and `ClusterIssuer` for cluster-wide certificates to maintain separation of concerns.

Implement Certificate Policies

Define policies for certificate lifetimes, renewal windows, and key sizes to ensure compliance and security.

Secure CA Secrets

Use Kubernetes secrets to store CA credentials securely and ensure they are encrypted at rest and in transit.

Automate with Helm

Use Helm charts to automate cert-manager deployments, ensuring consistent and repeatable configurations across environments.

Leverage External Issuers

Integrate with external issuers like HashiCorp Vault for more flexible and secure certificate management.

Key Features of cert-manager 

Key features of cert-manager include:

Certificate Issuance

cert-manager automates the process of issuing certificates by interacting with various CAs. When a certificate is needed, cert-manager generates a Certificate Signing Request (CSR) and submits it to the configured CA. Once the CA validates the request, it issues a certificate that cert-manager then makes available for use within the Kubernetes cluster. This process can be triggered by annotations on Kubernetes resources, allowing for seamless integration and automation.

Certificate Renewal

cert-manager continuously monitors the expiration dates of certificates and automatically renews them before they expire. It uses predefined renewal periods to ensure that certificates are updated without manual intervention. This proactive approach prevents downtime and security risks associated with expired certificates, ensuring that applications remain secure and operational.

ACME Support

cert-manager supports the Automatic Certificate Management Environment (ACME) protocol, which is widely used for automating the process of obtaining SSL/TLS certificates. Through ACME, cert-manager can request certificates from ACME-compliant CAs, such as Let’s Encrypt. This support allows for the automated issuance and renewal of certificates, reducing the administrative burden of managing certificates manually.

Kubernetes Integration

cert-manager works seamlessly with Kubernetes, using Kubernetes resources to manage certificates. It integrates with Kubernetes Custom Resource Definitions (CRDs) to define certificates, issuers, and other related resources. This allows cert-manager to automatically inject certificates into Kubernetes secrets, which can then be used by other Kubernetes resources like Ingress controllers and pods, ensuring secure communication across the cluster.

How Does cert-manager Work?

cert-manager operates as a Kubernetes controller that continuously watches for certificate-related resources. When it detects a resource requiring a certificate, it follows these steps:

  1. CSR generation: cert-manager creates a Certificate Signing Request (CSR) based on the specified requirements.
  2. CSR submission: The CSR is submitted to the configured CA.
  3. Certificate Issuance: Upon approval, the CA issues the certificate and returns it to cert-manager.
  4. Certificate deployment: cert-manager stores the certificate in a Kubernetes secret, making it accessible to other resources.
  5. Continuous monitoring: cert-manager monitors the certificate’s expiration date and initiates renewal as needed.

Tutorial: Deploy cert-manager on Google Kubernetes Engine (GKE) 

This tutorial is adapted from the official cert-manager documentation.

Prerequisites

To use cert-manager, you need to have:

  • A Google Cloud account
  • A domain name in which to add DNS records
  • The gcloud resource management tool
  • The Kubernetes command line tool kubectl
  • The curl command line tool

Configure gcloud with a Google Cloud project

First, initialize gcloud and set up your Google Cloud project by running gcloud init

During initialization, set the default Compute Region and Zone. The command will display your project name, default region, and zone. 

Export these values for later use:

export PROJECT=example-project export REGION=US-east-1

Create a Kubernetes Cluster

Create a Kubernetes cluster using the following commands:

export CLUSTER=test-cluster-1 

gcloud container clusters create $CLUSTER --preemptible --num-nodes=1

gcloud components install gke-gcloud-auth-plugin
export USE_GKE_GCLOUD_AUTH_PLUGIN=True

gcloud container clusters get-credentials $CLUSTER

Verify cluster creation using: 

kubectl get nodes -o wide

Deploy a Web Server

Start by deploying a sample web server and exposing it:

kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0

kubectl expose deployment web --port=8080

Set Up a Static External IP Address

Reserve a static IP address for your website: 

gcloud compute addresses create web-ip --global 

gcloud compute addresses list

gcloud compute addresses describe web-ip --format='value(address)' --global
export IP_ADDRESS=194.20.100.1

Create a Domain Name for the Website

Purchase a domain and create an A record pointing to your IP address. Save the domain name in an env variable:

export DOMAIN_NAME=myapp.net

Create a Kubernetes Ingress Object

Create an Ingress to route traffic to your web server:

export DOMAIN_NAME=myapp.net

Create a Kubernetes Ingress Object

Create an Ingress to route traffic to your web server: 

apiVersion: networking.k8s.io/v1 
kind: Ingress
metadata:
name: web-ingress
annotations:
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.allow-http: "true"
kubernetes.io/ingress.global-static-ip-name: web-ip
spec:
defaultBackend:
service:
name: web
port:
number: 8080

Apply the Ingress configuration: 

kubectl apply -f ingress.yaml 

Verify connectivity: 

curl http://$DOMAIN_NAME

Install cert-manager

Install cert-manager using kubectl

kubectl apply -f 
https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml kubectl -n cert-manager get all

Create an Issuer Resource for the Staging ServerIn this example, we’ll be using a Let’s Encrypt’s staging environment. To create an Issuer for this environment: 

apiVersion: cert-manager.io/v1 
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: <my-email-address>
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
name: web-ingress

Apply the Issuer configuration: 

kubectl apply -f issuer-lets-encrypt-staging.yaml

Re-Configure the Ingress Resource for SSL

Create an empty secret for the SSL certificate:

apiVersion: v1 
kind: Secret
metadata:
name: web-ssl
type: kubernetes.io/tls
stringData:
tls.key: ""
tls.crt: ""

Apply the secret configuration:

kubectl apply -f secret.yaml 

Update the Ingress resource to use SSL: 

# Update ingress.yaml 
metadata:
annotations:
cert-manager.io/issuer: letsencrypt-staging
spec:
tls:
- secretName: web-ssl
hosts:
- $DOMAIN_NAME

Apply the updated Ingress configuration: 

kubectl apply -f ingress.yaml 

Verify the SSL connection: 

curl -v --insecure https://$DOMAIN_NAME

Create a Production-Ready SSL Certificate

Create an Issuer for the Let’s Encrypt’s production environment: 

apiVersion: cert-manager.io/v1 
kind: Issuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <my-email-address>
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
name: web-ingress

Apply the production Issuer configuration: 

kubectl apply -f issuer-lets-encrypt-production.yaml 
kubectl annotate ingress web-ingress
cert-manager.io/issuer=letsencrypt-production --overwrite

Verify the production SSL certificate: 

curl -v https://$DOMAIN_NAME 

You should now be able to access your website securely via HTTPS. 

Simplifying Kubernetes Management with Komodor

Komodor is the Continuous Kubernetes Reliability Platform, designed to democratize K8s expertise across the organization and enable engineering teams to leverage its full value.

Komodor’s platform empowers developers to confidently monitor and troubleshoot their workloads while allowing cluster operators to enforce standardization and optimize performance. Specifically when working in a hybrid environment, Komodor reduces the complexity by providing a unified view of all your services and clusters.

By leveraging Komodor, companies of all sizes significantly improve reliability, productivity, and velocity. Or, to put it simply – Komodor helps you spend less time and resources on managing Kubernetes, and more time on innovating at scale.

If you are interested in checking out Komodor, use this link to sign up for a Free Trial