What Is cert-manager?
cert-manager is an open-source Kubernetes add-on that automates the management and issuance of x.509 certificates. It simplifies the process of securing applications by automatically obtaining and renewing TLS certificates from various certificate authorities (CAs).
This tool ensures that certificates are always up-to-date and valid, which is crucial for maintaining secure communications within a Kubernetes cluster.
cert-manager has over 11K GitHub stars, over 440 contributors, and has been managed by the Cloud Native Computing Foundation (CNCF) since 2020. In 2022, it was moved to the Incubating maturity level.
You can get cert-manager from the official GitHub repo.
Image source: GitHub
This is part of a series of articles about Kubernetes management
The Need for cert-manager: How Are x.509 Certificates and Machine Identities Used in K8s?
x.509 certificates and machine identities help ensure data integrity and confidentiality by encrypting the data transmitted between services in a Kubernetes cluster. Machine identities are used by devices and applications to prove their authenticity in automated processes, with x.509 certificates serving as proof.
Managing these certificates manually can be cumbersome and error-prone, especially considering that Kubernetes clusters are dynamic environments where services are frequently created and updated.
cert-manager is a Kubernetes add-on that automates the management and issuance of these certificates. By integrating directly with Kubernetes, cert-manager simplifies the process of obtaining, renewing, and deploying certificates from various certificate authorities (CAs). This automation reduces the administrative burden on developers and operators, ensuring that services within the cluster always have up-to-date and valid certificates.
Tips from the expert
Itiel Shwartz
Co-Founder & CTO
In my experience, here are tips that can help you better manage K8s machine identities with cert-manager:
Utilize Issuer and ClusterIssuer
Use `Issuer` for namespace-specific certificates and `ClusterIssuer` for cluster-wide certificates to maintain separation of concerns.
Implement Certificate Policies
Define policies for certificate lifetimes, renewal windows, and key sizes to ensure compliance and security.
Secure CA Secrets
Use Kubernetes secrets to store CA credentials securely and ensure they are encrypted at rest and in transit.
Automate with Helm
Use Helm charts to automate cert-manager deployments, ensuring consistent and repeatable configurations across environments.
Leverage External Issuers
Integrate with external issuers like HashiCorp Vault for more flexible and secure certificate management.
Key Features of cert-manager
Key features of cert-manager include:
Certificate Issuance
cert-manager automates the process of issuing certificates by interacting with various CAs. When a certificate is needed, cert-manager generates a Certificate Signing Request (CSR) and submits it to the configured CA. Once the CA validates the request, it issues a certificate that cert-manager then makes available for use within the Kubernetes cluster. This process can be triggered by annotations on Kubernetes resources, allowing for seamless integration and automation.
Certificate Renewal
cert-manager continuously monitors the expiration dates of certificates and automatically renews them before they expire. It uses predefined renewal periods to ensure that certificates are updated without manual intervention. This proactive approach prevents downtime and security risks associated with expired certificates, ensuring that applications remain secure and operational.
ACME Support
cert-manager supports the Automatic Certificate Management Environment (ACME) protocol, which is widely used for automating the process of obtaining SSL/TLS certificates. Through ACME, cert-manager can request certificates from ACME-compliant CAs, such as Let’s Encrypt. This support allows for the automated issuance and renewal of certificates, reducing the administrative burden of managing certificates manually.
Kubernetes Integration
cert-manager works seamlessly with Kubernetes, using Kubernetes resources to manage certificates. It integrates with Kubernetes Custom Resource Definitions (CRDs) to define certificates, issuers, and other related resources. This allows cert-manager to automatically inject certificates into Kubernetes secrets, which can then be used by other Kubernetes resources like Ingress controllers and pods, ensuring secure communication across the cluster.
How Does cert-manager Work?
cert-manager operates as a Kubernetes controller that continuously watches for certificate-related resources. When it detects a resource requiring a certificate, it follows these steps:
- CSR generation: cert-manager creates a Certificate Signing Request (CSR) based on the specified requirements.
- CSR submission: The CSR is submitted to the configured CA.
- Certificate Issuance: Upon approval, the CA issues the certificate and returns it to cert-manager.
- Certificate deployment: cert-manager stores the certificate in a Kubernetes secret, making it accessible to other resources.
- Continuous monitoring: cert-manager monitors the certificate’s expiration date and initiates renewal as needed.
Tips from the expert:
In my experience, here are ways to make the best use of cert-manager in your Kubernetes cluster:
- Use CertificateRequest resources: Use the CertificateRequest resource to decouple the certificate issuance process from the cert-manager’s automatic issuance. This is particularly useful for custom certificate workflows.
- Use external DNS providers: For DNS-01 challenges, integrating cert-manager with external DNS providers like Route 53 or Cloudflare can automate the process of proving domain ownership, making certificate issuance more seamless.
- Use pre-flight checks: Implement pre-flight checks before deploying cert-manager updates to ensure compatibility with your existing Kubernetes and cert-manager configuration. This prevents disruptions in certificate management.
- Implement namespace segregation: Isolate cert-manager instances in different namespaces for different environments (e.g., development, staging, production). This helps in maintaining clear boundaries and avoiding conflicts.
- Enable Prometheus metrics for monitoring: Configure cert-manager to expose metrics to Prometheus. This allows for real-time monitoring and alerting on certificate status and health, helping to preemptively address issues.
Tutorial: Deploy cert-manager on Google Kubernetes Engine (GKE)
This tutorial is adapted from the official cert-manager documentation.
Prerequisites
To use cert-manager, you need to have:
- A Google Cloud account
- A domain name in which to add DNS records
- The
gcloudresource management tool - The Kubernetes command line tool
kubectl - The
curlcommand line tool
Configure gcloud with a Google Cloud project
First, initialize gcloud and set up your Google Cloud project by running gcloud init.
During initialization, set the default Compute Region and Zone. The command will display your project name, default region, and zone.
Export these values for later use:
export PROJECT=example-project export REGION=US-east-1
Create a Kubernetes Cluster
Create a Kubernetes cluster using the following commands:
export CLUSTER=test-cluster-1
gcloud container clusters create $CLUSTER --preemptible --num-nodes=1
gcloud components install gke-gcloud-auth-plugin
export USE_GKE_GCLOUD_AUTH_PLUGIN=True
gcloud container clusters get-credentials $CLUSTER
Verify cluster creation using:
kubectl get nodes -o wide
Deploy a Web Server
Start by deploying a sample web server and exposing it:
kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0
kubectl expose deployment web --port=8080
Set Up a Static External IP Address
Reserve a static IP address for your website:
gcloud compute addresses create web-ip --global
gcloud compute addresses list
gcloud compute addresses describe web-ip --format='value(address)' --global
export IP_ADDRESS=194.20.100.1
Create a Domain Name for the Website
Purchase a domain and create an A record pointing to your IP address. Save the domain name in an env variable:
export DOMAIN_NAME=myapp.net
Create a Kubernetes Ingress Object
Create an Ingress to route traffic to your web server:
export DOMAIN_NAME=myapp.net
Create a Kubernetes Ingress Object
Create an Ingress to route traffic to your web server:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.allow-http: "true"
kubernetes.io/ingress.global-static-ip-name: web-ip
spec:
defaultBackend:
service:
name: web
port:
number: 8080
Apply the Ingress configuration:
kubectl apply -f ingress.yaml
Verify connectivity:
curl http://$DOMAIN_NAME
Install cert-manager
Install cert-manager using kubectl:
kubectl apply -f
https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml kubectl -n cert-manager get all
Create an Issuer Resource for the Staging ServerIn this example, we’ll be using a Let’s Encrypt’s staging environment. To create an Issuer for this environment:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: <my-email-address>
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
name: web-ingress
Apply the Issuer configuration:
kubectl apply -f issuer-lets-encrypt-staging.yaml
Re-Configure the Ingress Resource for SSL
Create an empty secret for the SSL certificate:
apiVersion: v1
kind: Secret
metadata:
name: web-ssl
type: kubernetes.io/tls
stringData:
tls.key: ""
tls.crt: ""
Apply the secret configuration:
kubectl apply -f secret.yaml
Update the Ingress resource to use SSL:
# Update ingress.yaml
metadata:
annotations:
cert-manager.io/issuer: letsencrypt-staging
spec:
tls:
- secretName: web-ssl
hosts:
- $DOMAIN_NAME
Apply the updated Ingress configuration:
kubectl apply -f ingress.yaml
Verify the SSL connection:
curl -v --insecure https://$DOMAIN_NAME
Create a Production-Ready SSL Certificate
Create an Issuer for the Let’s Encrypt’s production environment:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <my-email-address>
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
name: web-ingress
Apply the production Issuer configuration:
kubectl apply -f issuer-lets-encrypt-production.yaml
kubectl annotate ingress web-ingress
cert-manager.io/issuer=letsencrypt-production --overwrite
Verify the production SSL certificate:
curl -v https://$DOMAIN_NAME
You should now be able to access your website securely via HTTPS.
Simplifying Kubernetes Management with Komodor
Komodor is the Continuous Kubernetes Reliability Platform, designed to democratize K8s expertise across the organization and enable engineering teams to leverage its full value.
Komodor’s platform empowers developers to confidently monitor and troubleshoot their workloads while allowing cluster operators to enforce standardization and optimize performance. Specifically when working in a hybrid environment, Komodor reduces the complexity by providing a unified view of all your services and clusters.
By leveraging Komodor, companies of all sizes significantly improve reliability, productivity, and velocity. Or, to put it simply – Komodor helps you spend less time and resources on managing Kubernetes, and more time on innovating at scale.
If you are interested in checking out Komodor, use this link to sign up for a Free Trial.
