What is Kubernetes cert-manager?
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
What is cert manager?
Cert-manager is a Kubernetes add-on designed to assist with the creation and management of TLS certificates. Similar to Certbot, cert-manager can automate the process of creating and renewing self-signed and signed certificates for a large number of use cases, with a specific focus on container orchestration tools like Kubernetes.
NoteThis guide assumes a working knowledge of Kubernetes key concepts, including master and worker nodes, Pods, Deployments, and Services. For more information on Kubernetes, see our Beginner’s Guide to Kubernetes series.
Understanding Cert Manager Concepts
Cert-Manager is divided into a number of components and microservices that are each designed to perform specific tasks necessary for the certificate lifecycle.
Issuers and ClusterIssuers
Certificate creation begins with Issuers
and ClusterIssuers
, resources that represent certificate authorities and are able to generate signed certificates using a specific issuer type
. An issuer type
represents the method used to create your certificate, such as SelfSigned
for a
Self-Signed Certificate and ACME
for requests for certificates from ACME servers, typically used by tools like
Let’s Encrypt. All supported issuer types are listed in
Cert-Manager’s Documentation.
While Issuers
resources are only able to create certificates in the namespace they were created in, ClusterIssuers
can create certificates for all namespaces. This guide provides an example that demonstrates how ClusterIssuers
creates certificates for all namespaces in the cluster.
Certificates and CertificateRequests
Although Issuers are responsible for defining the method used to create a certificate, a Certificate
resource must also be created to define how a certificate is renewed and kept up to date.
After a Certificate
resource is created, changed, or a certificate referenced needs renewal, cert-manager creates a corresponding CertificateRequest
resource, which contains the base64 encoded string of an x509
certificate request (CSR). Additionally, if successful, it contains the signed certificate where one is successfully returned and updates the Ready
condition status to True
.
NoteACertificateRequest
resource is not designed to interact with a user directly, and instead is utilized through controllers or similar methods where needed.
ACME Orders and Challenges
For external certificates from ACME servers, cert-manager must be able to solve ACME challenges in order to prove ownership of DNS names and addresses being requested.
An Order
resource represents and encapsulates the multiple ACME challenges the certificate request requires for domain validation. The Order
resource is created automatically when a CertificateRequest
referencing an ACME Issuer
or has been created.
Challenge
resources represent all of the steps in an ACME challenge that must be completed for domain validation. Although defined by the Order
, a separate Challenge
resource is created for each DNS name that is being validated, and each are scheduled separately.
ACME Order
and Challenge
resources are only created for Issuers
and ClusterIssuers
with a type
of ACME
.
NoteAnorder
orchallenge
resource is never manually created directly by a user and are instead defined throughCertificateRequest
resources and theIssuers
type. After it is issued,order
andchallenge
resources cannot be changed.
This feature includes the ability to request certificates through Let’s Encrypt.
Installing Cert-Manager
Cert-Manager can be easily installed through a single command as follows:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml
As the installation completes, you should see a number of required resources created, including a cert-manager
namespace, RBAC rules, CRD’s, and a webhook component. To confirm that the installation was a success, enter the following:
kubectl get pods --namespace cert-manager
The output is similar to the following:
NAME READY STATUS RESTARTS AGE
cert-manager-766d5c494b-l9sdb 1/1 Running 0 19m
cert-manager-cainjector-6649bbb695-bz999 1/1 Running 0 19m
cert-manager-webhook-68d464c8b-86tqw 1/1 Running 0 19m
Next Steps
To learn how to apply some of the concepts learned in this guide, see the Configuring Load Balancing with TLS Encryption on a Kubernetes Cluster guide.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on