cert-manager 1.11: Automated TLS Certificate Management
Table of Contents
Introduction
cert-manager 1.11, released on September 5, 2022, continues to evolve as the leading solution for automated TLS certificate management in Kubernetes. This release improves ACME support, enhances issuer integration, and delivers better security features for managing certificates in cloud-native environments.
Security features matter most when you’re trying to enforce guardrails without blocking delivery. This release is useful if you’re tightening policy, improving visibility, or hardening defaults across Kubernetes workloads.
ACME Support Enhancements
- Let’s Encrypt integration improvements provide better reliability and performance for certificate issuance.
- ACME v2 support ensures compatibility with modern ACME protocol implementations.
- DNS-01 challenge improvements enable better certificate issuance for wildcard domains.
- HTTP-01 challenge enhancements simplify certificate issuance for standard domains.
Issuer Integration Improvements
- Cloud provider issuers expand support for AWS, Azure, GCP, and other cloud certificate services.
- Vault integration improvements enable better integration with HashiCorp Vault PKI.
- Self-signed certificates support enables development and testing scenarios.
- Custom issuers enable integration with enterprise certificate authorities.
Security & Reliability
- Certificate rotation improvements ensure certificates are renewed before expiration.
- Key management enhancements provide better security for private keys.
- Certificate validation ensures certificates meet security requirements before use.
- Audit logging tracks all certificate issuance and renewal events.
Kubernetes Integration
- Ingress integration automatically provisions certificates for Ingress resources.
- Gateway API support enables certificate management for Gateway API resources.
- Annotation-based configuration simplifies certificate management for services.
- CRD support enables managing certificates as Kubernetes-native resources.
Advanced Features
- Certificate chains support enables proper certificate chain validation.
- Multiple issuers support allows different issuers for different namespaces or domains.
- Certificate templates enable custom certificate configurations.
- Metrics integration exposes certificate management metrics for Prometheus.
Getting Started
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
Create a ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Create a Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-certificate
spec:
secretName: my-certificate-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
- www.example.com
Use with Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- example.com
secretName: my-certificate-tls
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
Summary
| Aspect | Details |
|---|---|
| Release Date | September 5, 2022 |
| Headline Features | Enhanced ACME support, improved issuer integration, better security features |
| Why it Matters | Automates TLS certificate management, reducing operational overhead and ensuring certificates are always valid |
cert-manager 1.11 continues to evolve as the standard solution for TLS certificate management in Kubernetes, providing teams with automated, secure certificate provisioning and renewal.