Cert-Manager is a Kubernetes-native certificate management solution. It automates the issuance, renewal, and management of TLS certificates for securing communication within and across Kubernetes clusters. Cert-Manager integrates with external certificate authorities (CAs) like Let’s Encrypt or private CAs and manages certificates as Kubernetes resources.
In a typical Cert-Manager setup, you will see three core components deployed as separate pods:
- cert-manager: The main controller responsible for managing certificate lifecycle operations. It watches for Kubernetes
Certificateresources and interacts with issuers (e.g., ACME, Vault, or self-signed) to request, renew, or revoke certificates. - cert-manager-webhook: A validating webhook that enforces the correctness of
CertificateandIssuerresources before they are applied. This ensures that configurations are accurate and follow expected patterns, reducing the chance of misconfiguration. - cert-manager-ca-injector: A helper component that automatically injects CA bundles into Kubernetes resources, such as
MutatingWebhookConfigurationandValidatingWebhookConfiguration, ensuring that custom controllers and admission webhooks can use the issued certificates without additional manual configuration.
Cert-Manager simplifies certificate management for workloads and APIs running in Kubernetes. For example, it can:
-
Secure Ingress resources by automatically provisioning TLS certificates.
-
Rotate expiring certificates seamlessly without downtime.
-
Inject trusted certificates into services requiring mutual TLS.
-
kubernetes check on the CDK EKS blueprint what type of certification authority is configured