cert-manager Knowledge

Contents

• Overview
• Core Idea
• Key Concepts
  • Public Key Cryptography
  • Automated Certificate Management
  • Custom Resource Definitions
• Components
  • ClusterIssuers / Issuers
  • Certificates

Overview

cert-manager is kubernetes add-on for managing TLS certificates. It uses Custom Resource Definitions to define kubernetes objects that together coordinate and provide the certificate management functionality.

A minimal configuration would involve a configured Issuer object and a configured Certificate object. When applied, an Order object will be generated with the Issuer that when ready, will create a Secret conforming to the certificate specification.

Core Idea

cert-manager extends Kubernetes via Custom Resource Definitions to construct a system that manages TLS certificates—including ordering and renewal—with major Certificate Authorities like Let’s Encrypt.

Key Concepts

Public Key Cryptography

The underlying concepts behind why TLS certificates are used and what role Certificate Authorities play on the web.

Automated Certificate Management

Let’s Encrypt was created in part to help secure the web by automating the issuing and renewal of valid TLS certificates. The ACME (Automatic Certificate Management Environment) protocol allows for various “challenges” to be solved to prove ownership and validity of a domain.

cert-manager provides a convenient mechanism and interface for interacting with Let’s Encrypt, and other Certificate Authorities, to manage TLS certificates in a kubernetes cluster.

Custom Resource Definitions

Mechanism of extending Kubernetes functionality. Official documentation has more information.

Components

ClusterIssuers / Issuers

An Issuer is a namespaced resource representing a Certificate Authority who can provide x.509 certificates. It may act as a proxy to Let’s Encrypt staging or production environments.

A ClusterIssuer is simply an Issuer accessible from any namespace.

Certificates

A Certificate defines a desired x.509 certificate.