**cert-manager** is a [[Kubernetes]]-native certificate management controller that automates the issuance, renewal, and management of TLS certificates within a cluster. It integrates with ACME (Let's Encrypt), [[OpenBao]]/HashiCorp Vault, Venafi, and self-signed CAs — making "always-valid TLS everywhere" a solved problem. --- ### First Principle: Expired TLS certificates cause incidents. Automation eliminates the human forgetting problem. Certificate expiry is one of the most common and embarrassing causes of production outages. cert-manager tracks certificate expiry and renews them automatically — typically 30 days before expiry. No human needs to remember. No cron job. No rotation runbook. --- ### Key Considerations - **Issuers & ClusterIssuers**: cert-manager resources that define where certificates come from. A `ClusterIssuer` using ACME + Let's Encrypt automatically provisions publicly trusted certs. A `ClusterIssuer` using [[OpenBao]]'s PKI engine provisions internal certs. - **Certificate CRD**: A `Certificate` resource declares what certificate you need — domain, duration, renewal threshold, secret name. cert-manager reconciles the actual cert in the named Secret. - **Ingress Integration**: cert-manager monitors `Ingress` resources annotated with `cert-manager.io/cluster-issuer` and automatically provisions TLS certs for each hostname. - **mTLS / Service Mesh**: cert-manager issues workload certificates for mutual TLS between services — the certificate layer beneath service meshes or SPIFFE/SPIRE. - **ACME HTTP-01 & DNS-01**: For public certificates, cert-manager supports HTTP-01 challenge and DNS-01 challenge — the latter works for wildcard certificates and internal-only services. --- ### How It Fits ``` [[Kubernetes]] Ingress / Service resources → cert-manager (watches, requests, renews certs) → Let's Encrypt ACME / [[OpenBao]] PKI (issues certs) → TLS Secrets in Kubernetes (consumed by pods) ``` [[Kubernetes]] | [[OpenBao]] | [[Keycloak]] | [[Traefik]] | [[HAProxy]] | [[Open Source Hyperscaler MoC]]