cert-manager
Each cluster will automatically deploy Certificate for cert-manager
cert-manager is a native Kubernetes certificate management controller that automatically generates and manages TLS certificates based on Certificate resources. Many components in Kubernetes clusters use cert-manager to manage their TLS certificates, ensuring secure communication.
TOC
Overview
Cert-manager manages the lifecycle of certificates through Kubernetes Custom Resource Definitions (CRDs):
- Certificate: Defines the certificates that need to be managed
- Issuer/ClusterIssuer: Defines certificate issuers
- CertificateRequest: Internal resource for processing certificate requests
How it works
When a Certificate resource is created, cert-manager automatically:
- Generates private keys and certificate signing requests
- Obtains signed certificates from the specified Issuer
- Stores certificates and private keys in Kubernetes Secrets
Additionally, cert-manager monitors the validity period of certificates and renews them before they expire to ensure continuous service availability.
Identifying cert-manager Managed Certificates
Certificates managed by cert-manager have corresponding Secret resources with type kubernetes.io/tls and specific labels and annotations.
Common Labels and Annotations
Secret resources managed by cert-manager typically contain the following labels and annotations:
Labels:
controller.cert-manager.io/fao: "true": Identifies that this Secret is managed by cert-manager and enables filtered Secret caching by the controller.
Annotations:
cert-manager.io/certificate-name: Certificate namecert-manager.io/common-name: Common name of the certificatecert-manager.io/alt-names: Alternative names of the certificatecert-manager.io/ip-sans: IP addresses of the certificatecert-manager.io/issuer-kind: Type of certificate issuercert-manager.io/issuer-name: Name of certificate issuercert-manager.io/issuer-group: API group of the issuercert-manager.io/uri-sans: URI Subject Alternative Names