Cert-Manager

Automate TLS certificate issuance and renewal on Kubernetes.

Time: ~15 minutes Difficulty: Intermediate

What You Will Learn

Installing cert-manager with Helm
Building a trust chain: SelfSigned issuer, CA certificate, CA issuer
Requesting TLS certificates declaratively
Automatic certificate provisioning via Ingress annotations
Automatic renewal of short-lived certificates

Prerequisites

Minikube with the ingress addon enabled:
Terminal window
```
minikube addons enable ingress
```

Quick Start (Scripted)

Navigate to the demo directory:

cd demos/cert-manager

Three scripts walk you through the entire demo interactively:

# 1. Install cert-manager
bash scripts/01-setup.sh

# 2. Run the interactive demo (pauses at each step)
bash scripts/02-demo.sh

# 3. Clean up
bash scripts/03-cleanup.sh

Manual Walkthrough

Step 1: Install cert-manager

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set crds.enabled=true

Wait for pods to be ready:

kubectl get pods -n cert-manager -w

Step 2: Create the trust chain

# Self-signed issuer (bootstrap only)
kubectl apply -f manifests/base/00-selfsigned-clusterissuer.yaml

# CA certificate signed by the self-signed issuer
kubectl apply -f manifests/base/01-ca-certificate.yaml

# CA-backed issuer for application certificates
kubectl apply -f manifests/base/02-ca-clusterissuer.yaml

Verify the chain:

kubectl get clusterissuers
kubectl get certificates -n cert-manager

Step 3: Issue a certificate

kubectl create namespace demo-apps
kubectl apply -f manifests/demo/01-simple-certificate.yaml

Check the certificate status:

kubectl get certificates -n demo-apps
kubectl describe certificate myapp-tls -n demo-apps

The certificate for myapp.example.com is now stored in secret myapp-tls-secret.

Step 4: Automatic TLS via Ingress

kubectl apply -f manifests/demo/02-ingress-tls.yaml

This deploys an echoserver with an Ingress annotated with cert-manager.io/cluster-issuer. Cert-manager automatically creates a Certificate from the Ingress TLS block, no separate Certificate resource needed.

kubectl get certificates -n demo-apps
kubectl get secrets -n demo-apps

Step 5: Short-lived certificate with auto-renewal

kubectl apply -f manifests/demo/03-short-lived-cert.yaml

This creates a certificate with a 1-hour lifetime that renews at the 30-minute mark. Watch cert-manager renew it automatically:

kubectl get certificates -n demo-apps -w

What is Happening

manifests/
  base/
    00-selfsigned-clusterissuer.yaml   # Bootstrap issuer
    01-ca-certificate.yaml             # 10-year CA cert (ECDSA P-256)
    02-ca-clusterissuer.yaml           # Issuer backed by the CA

  demo/
    01-simple-certificate.yaml         # TLS cert for myapp.example.com
    02-ingress-tls.yaml                # App + Ingress with auto-TLS
    03-short-lived-cert.yaml           # 1-hour cert for renewal demo

scripts/
    01-setup.sh                        # Installs cert-manager via Helm
    02-demo.sh                         # Interactive step-by-step walkthrough
    03-cleanup.sh                      # Removes demo resources

Trust chain flow:

SelfSigned ClusterIssuer
    |
    v
CA Certificate (cert-manager namespace)
    |
    v
CA ClusterIssuer (demo-ca-issuer)
    |
    v
Application Certificates (any namespace)

Cleanup

kubectl delete namespace demo-apps
kubectl delete clusterissuer demo-ca-issuer selfsigned-issuer
kubectl delete certificate demo-ca -n cert-manager
helm uninstall cert-manager -n cert-manager
kubectl delete namespace cert-manager

Or use the cleanup script:

bash scripts/03-cleanup.sh

Next Step

Move on to Redis to learn caching patterns with a live performance dashboard.