Cert-Manager
Automate TLS certificate issuance and renewal on Kubernetes.
Time: ~15 minutes Difficulty: Intermediate
What You Will Learn
Section titled “What You Will Learn”- Installing cert-manager with Helm
- Building a trust chain: SelfSigned issuer, CA certificate, CA issuer
- Requesting TLS certificates declaratively
- Automatic certificate provisioning via Ingress annotations
- Automatic renewal of short-lived certificates
Prerequisites
Section titled “Prerequisites”- Minikube with the ingress addon enabled:
Terminal window minikube addons enable ingress
Quick Start (Scripted)
Section titled “Quick Start (Scripted)”Navigate to the demo directory:
cd demos/cert-managerThree scripts walk you through the entire demo interactively:
# 1. Install cert-managerbash scripts/01-setup.sh
# 2. Run the interactive demo (pauses at each step)bash scripts/02-demo.sh
# 3. Clean upbash scripts/03-cleanup.shManual Walkthrough
Section titled “Manual Walkthrough”Step 1: Install cert-manager
Section titled “Step 1: Install cert-manager”helm repo add jetstack https://charts.jetstack.iohelm repo update
helm install cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --set crds.enabled=trueWait for pods to be ready:
kubectl get pods -n cert-manager -wStep 2: Create the trust chain
Section titled “Step 2: Create the trust chain”# Self-signed issuer (bootstrap only)kubectl apply -f manifests/base/00-selfsigned-clusterissuer.yaml
# CA certificate signed by the self-signed issuerkubectl apply -f manifests/base/01-ca-certificate.yaml
# CA-backed issuer for application certificateskubectl apply -f manifests/base/02-ca-clusterissuer.yamlVerify the chain:
kubectl get clusterissuerskubectl get certificates -n cert-managerStep 3: Issue a certificate
Section titled “Step 3: Issue a certificate”kubectl create namespace demo-appskubectl apply -f manifests/demo/01-simple-certificate.yamlCheck the certificate status:
kubectl get certificates -n demo-appskubectl describe certificate myapp-tls -n demo-appsThe certificate for myapp.example.com is now stored in secret myapp-tls-secret.
Step 4: Automatic TLS via Ingress
Section titled “Step 4: Automatic TLS via Ingress”kubectl apply -f manifests/demo/02-ingress-tls.yamlThis deploys an echoserver with an Ingress annotated with cert-manager.io/cluster-issuer. Cert-manager automatically creates a Certificate from the Ingress TLS block, no separate Certificate resource needed.
kubectl get certificates -n demo-appskubectl get secrets -n demo-appsStep 5: Short-lived certificate with auto-renewal
Section titled “Step 5: Short-lived certificate with auto-renewal”kubectl apply -f manifests/demo/03-short-lived-cert.yamlThis creates a certificate with a 1-hour lifetime that renews at the 30-minute mark. Watch cert-manager renew it automatically:
kubectl get certificates -n demo-apps -wWhat is Happening
Section titled “What is Happening”manifests/ base/ 00-selfsigned-clusterissuer.yaml # Bootstrap issuer 01-ca-certificate.yaml # 10-year CA cert (ECDSA P-256) 02-ca-clusterissuer.yaml # Issuer backed by the CA
demo/ 01-simple-certificate.yaml # TLS cert for myapp.example.com 02-ingress-tls.yaml # App + Ingress with auto-TLS 03-short-lived-cert.yaml # 1-hour cert for renewal demo
scripts/ 01-setup.sh # Installs cert-manager via Helm 02-demo.sh # Interactive step-by-step walkthrough 03-cleanup.sh # Removes demo resourcesTrust chain flow:
SelfSigned ClusterIssuer | vCA Certificate (cert-manager namespace) | vCA ClusterIssuer (demo-ca-issuer) | vApplication Certificates (any namespace)Cleanup
Section titled “Cleanup”kubectl delete namespace demo-appskubectl delete clusterissuer demo-ca-issuer selfsigned-issuerkubectl delete certificate demo-ca -n cert-managerhelm uninstall cert-manager -n cert-managerkubectl delete namespace cert-managerOr use the cleanup script:
bash scripts/03-cleanup.shFurther Reading
Section titled “Further Reading”See docs/deep-dive.md for a detailed explanation of the trust chain model, cert-manager CRDs, renewal mechanics, ACME issuers, RSA vs ECDSA, and production patterns.
Next Step
Section titled “Next Step”Move on to Redis to learn caching patterns with a live performance dashboard.