cert-manager 1.6: Automated TLS Certificate Management
K8s Guru
3 min read
Table of Contents
Introduction
cert-manager 1.6 — Automated TLS Certificate Management — was released on June 25, 2021.
Policy usually becomes urgent the first time you need to stop a risky manifest from shipping — or when you’re trying to make standards repeatable across teams.
In this release: cert-manager 1.6 enhances automated TLS certificate management with improved ACME support, better issuer integration, and enhanced security features for Kubernetes workloads.
ACME Support Enhancements
- Let’s Encrypt integration improvements provide better reliability and performance for certificate issuance.
- ACME v2 support ensures compatibility with modern ACME protocol implementations.
- DNS-01 challenge improvements enable better certificate issuance for wildcard domains.
- HTTP-01 challenge enhancements simplify certificate issuance for standard domains.
Issuer Integration Improvements
- Cloud provider issuers expand support for AWS, Azure, GCP, and other cloud certificate services.
- Vault integration improvements enable better integration with HashiCorp Vault PKI.
- Self-signed certificates support enables development and testing scenarios.
- Custom issuers enable integration with enterprise certificate authorities.
Security & Reliability
- Certificate rotation improvements ensure certificates are renewed before expiration.
- Key management enhancements provide better security for private keys.
- Certificate validation ensures certificates meet security requirements before use.
- Audit logging tracks all certificate issuance and renewal events.
Kubernetes Integration
- Ingress integration automatically provisions certificates for Ingress resources.
- Annotation-based configuration simplifies certificate management for services.
- CRD support enables managing certificates as Kubernetes-native resources.
- RBAC integration provides fine-grained access control for certificate management.
Advanced Features
- Certificate chains support enables proper certificate chain validation.
- Multiple issuers support allows different issuers for different namespaces or domains.
- Certificate templates enable custom certificate configurations.
- Metrics integration exposes certificate management metrics for Prometheus.
Getting Started
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.6.0/cert-manager.yaml
Create a ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Create a Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
spec:
secretName: my-certificate-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
- www.example.com
Use with Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- example.com
secretName: my-certificate-tls
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
Summary
| Aspect | Details |
|---|---|
| Release Date | June 25, 2021 |
| Headline Features | Enhanced ACME support, improved issuer integration, better security features |
| Why it Matters | Automates TLS certificate management, reducing operational overhead and ensuring certificates are always valid |
cert-manager 1.6 continues to evolve as the standard solution for TLS certificate management in Kubernetes, providing teams with automated, secure certificate provisioning and renewal.