TLS in Kubernetes with cert-manager: A Comprehensive Guide


This article will guide you through using TLS in Kubernetes with cert-manager, highlighting its benefits, setup, and best practices. TLS (Transport Layer Security) is essential for securing communication between clients and services in Kubernetes. Managing TLS certificates can be complex, but cert-manager simplifies the process by automating the issuance and renewal of certificates.

What is cert-manager?

cert-manager is an open-source Kubernetes add-on that automates the management and issuance of TLS certificates from various certificate authorities (CAs). It ensures certificates are up-to-date and helps maintain secure communication within your Kubernetes cluster.

Benefits of Using cert-manager

  • Automation: Automatically issues and renews TLS certificates.
  • Integration: Supports various CAs, including Let’s Encrypt.
  • Security: Ensures secure communication between services.
  • Ease of Use: Simplifies certificate management in Kubernetes.

Setting Up cert-manager

To use cert-manager in your Kubernetes cluster, you need to install cert-manager and configure it to issue certificates.

Installing cert-manager

Add the Jetstack Helm Repository:

helm repo add jetstack helm repo update

Install cert-manager using Helm:

kubectl create namespace cert-manager

helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.6.1 --set installCRDs=true

Verify the Installation:

kubectl get pods -n cert-manager

Configuring cert-manager

Once cert-manager is installed, you can configure it to issue certificates. Here’s how:

Create an Issuer or ClusterIssuer: An Issuer defines the CA for obtaining certificates. A ClusterIssuer is a cluster-wide version of Issuer. Example ClusterIssuer for Let’s Encrypt:

kind: ClusterIssuer
  name: letsencrypt-prod
      name: letsencrypt-prod
    - http01:
          class: nginx

Apply the ClusterIssuer: kubectl apply -f clusterissuer.yaml

Create a Certificate Resource: Define a Certificate resource to request a TLS certificate. Example Certificate Resource:

kind: Certificate
  name: my-app-tls
  namespace: default
  secretName: my-app-tls
    name: letsencrypt-prod
    kind: ClusterIssuer

Apply the Certificate resource: kubectl apply -f certificate.yaml

Using TLS in Kubernetes

Once cert-manager is configured, you can use the issued TLS certificates in your Kubernetes Ingress resources to secure your applications.

Securing Ingress with TLS

Example Ingress Resource with TLS:

kind: Ingress
  name: my-app-ingress
  annotations: "letsencrypt-prod"
  - hosts:
    secretName: my-app-tls
  - host:
      - path: /
        pathType: Prefix
            name: my-app
              number: 80

Apply the Ingress resource: kubectl apply -f ingress.yaml

Verify the TLS Certificate: Ensure that the TLS certificate is correctly issued and attached to your Ingress resource by checking the status of the Ingress and Certificate resources:

kubectl describe ingress my-app-ingress kubectl describe certificate my-app-tls

Best Practices for Using cert-manager

  • Monitor Certificates: Regularly monitor the status of certificates to ensure they are valid and not close to expiration.
  • Use ClusterIssuers: Prefer ClusterIssuers for cluster-wide certificate management.
  • Secure Email: Use a secure and monitored email address for ACME account notifications.
  • Leverage Annotations: Use cert-manager annotations to customize certificate requests and management.


Using TLS in Kubernetes with a cert-manager simplifies the process of managing and securing certificates. By automating certificate issuance and renewal, cert-manager ensures that your services maintain secure communication.

Follow the best practices outlined in this guide to efficiently manage TLS certificates and enhance the security of your Kubernetes deployments. Thank you for reading the DevopsRoles page!


About HuuPV

My name is Huu. I love technology, especially Devops Skill such as Docker, vagrant, git, and so forth. I like open-sources, so I created to share the knowledge I have acquired. My Job: IT system administrator. Hobbies: summoners war game, gossip.
View all posts by HuuPV →

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.