Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Secrets 2017

cert-manager 0.1: Automated TLS for Kubernetes Workloads

K8s Guru
2 min read
#cert-manager #tls #acme #letsencrypt #release-0-1
cert-manager 0.1: Automated TLS for Kubernetes Workloads

Table of Contents

Introduction

On July 17, 2017, Jetstack released cert-manager 0.1 (the successor to kube-lego), introducing a Kubernetes-native controller to request and renew TLS certificates from ACME providers like Let’s Encrypt. With cert-manager, ingress TLS stops being a manual chore and becomes a declarative resource.

Core Capabilities

Kubernetes Custom Resources

  • Defines Certificate and Issuer CRDs to represent certificate requests and issuers.
  • Supports cluster-wide ClusterIssuer objects for multi-namespace reuse.
  • Stores signed certificates as Kubernetes secrets ready for ingress controllers.

ACME Automation

  • Implements the ACME v1 challenge flow for HTTP-01 and DNS-01.
  • Automatically provisions solver pods and cleans them up after validation.
  • Handles proactive renewals before expiration, minimizing outage windows.

Extensible Providers

  • Works with Let’s Encrypt, HashiCorp Vault, and self-signed issuers from day one.
  • Exposes a pluggable issuer interface paving the way for Venafi and Google CAS integrations.
  • Ships with ready-to-use examples for NGINX Ingress and Traefik.

Getting Started

  1. Install CRDs and the controller deployment:

    kubectl apply -f cert-manager.yaml

  2. Create a ClusterIssuer for Let’s Encrypt staging:

    apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    http01: {}

  3. Annotate your ingress with certmanager.k8s.io/cluster-issuer: letsencrypt-staging.

  4. Watch cert-manager create solver pods, issue the certificate, and populate the target secret.

Practical Tips (Avoid ACME Surprises)

  • Use Let’s Encrypt staging first (as shown) to validate your HTTP-01/DNS-01 flow without tripping production rate limits.
  • For HTTP-01, make sure your ingress controller can actually route /.well-known/acme-challenge/ to solver pods (rewrites and global redirects are common culprits).
  • For DNS-01, expect a different class of failures: slow DNS propagation and missing IAM permissions are more common than Kubernetes issues.
  • Keep issuer credentials tightly scoped; an Issuer that can update “any DNS record in the company” tends to become an incident later.

Ecosystem Fit

  • Secures frontends published by ExternalDNS 0.1 and Traefik 1.4.
  • Complements Istio 0.1 by automating mesh gateways that terminate TLS.
  • Integrates with Kubernetes 1.7 RBAC for scoped certificate issuance.

Summary

AspectDetails
Release DateJuly 17, 2017
Key InnovationsCertificate CRDs, ACME automation, pluggable issuers
Why it MattersTurns TLS provisioning into a declarative, GitOps-friendly workflow

cert-manager 0.1 set the foundation for pervasive, automated TLS across Kubernetes clusters, removing the toil of manual certificate renewal cycles.