Cert-Manager

Cert-Manager in Thalassa Cloud Kubernetes

Cert-Manager is a Kubernetes-native certificate management solution that automates the provisioning, renewal, and management of TLS certificates. It integrates with Let’s Encrypt, HashiCorp Vault, and other certificate authorities (CAs) to ensure applications and services are securely encrypted.

Thalassa Cloud Kubernetes supports Cert-Manager as an optional component, allowing clusters to easily manage TLS certificates for Ingress controllers, Gateway API, internal services, and web applications.

How Cert-Manager Works

Cert-Manager runs as a controller in the Kubernetes cluster, monitoring CertificateRequests and automatically provisioning certificates using configured Issuers or ClusterIssuers.

Core Components:

Component	Description
Issuer	Namespace-scoped resource defining a certificate authority (CA) for certificate requests.
ClusterIssuer	Similar to an Issuer but applies to all namespaces in the cluster.
Certificate	Custom resource representing the desired TLS certificate.
CertificateRequest	Automatically created when a Certificate resource is submitted, triggering certificate issuance.
ACME Solver	Handles automated certificate challenges for Let’s Encrypt or other ACME-compatible issuers.

Cert-Manager simplifies TLS management by automating renewal and avoiding the need for manual certificate provisioning.

Enabling Cert-Manager in Thalassa Cloud

Since Cert-Manager is an optional component, it may need to be enabled if not already running in the cluster.

Checking if Cert-Manager is Installed

Run the following command to verify if Cert-Manager is available:

kubectl get pods -n cert-manager

If Cert-Manager is installed, you should see pods running in the cert-manager namespace.

Installing Cert-Manager (manual)

If Cert-Manager is not running, it can be installed using Helm:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true

Once installed, Cert-Manager is ready to issue and manage TLS certificates.

Configuring an Issuer

An Issuer is required to generate certificates. The following example sets up a Let’s Encrypt Issuer using the ACME protocol.

Example: Let’s Encrypt Staging Issuer

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging-key
    solvers:
    - http01:
        ingress:
          class: nginx

Apply the Issuer:

kubectl apply -f issuer.yaml

This Issuer uses HTTP-01 challenge verification via an NGINX Ingress controller.

For production, replace acme-staging-v02 with https://acme-v02.api.letsencrypt.org/directory.

Requesting a TLS Certificate

After an Issuer is configured, a Certificate resource can be created to request a TLS certificate.

Example: Creating a Certificate for an Ingress Service

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com-tls
  namespace: default
spec:
  secretName: example-com-tls-secret
  issuerRef:
    name: letsencrypt-staging
    kind: Issuer
  dnsNames:
  - example.com
  - www.example.com

Apply the certificate request:

kubectl apply -f certificate.yaml

Cert-Manager will automatically request a TLS certificate and store it in a Kubernetes Secret named example-com-tls-secret.

This Secret can be referenced in an Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/issuer: letsencrypt-staging
spec:
  tls:
  - hosts:
    - example.com
    - www.example.com
    secretName: example-com-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

Once applied, Cert-Manager will provision a TLS certificate for the domain and automatically attach it to the Ingress resource.

Monitoring and Troubleshooting

Checking the Status of a Certificate Request

To check if a certificate has been issued successfully:

kubectl describe certificate example-com-tls -n default

If the certificate is stuck in a pending state, inspect events:

kubectl get events -n cert-manager

To check Cert-Manager logs:

kubectl logs -l app=cert-manager -n cert-manager

Common Issues

Issue	Solution
Certificate not issued	Ensure the Issuer or ClusterIssuer is correctly configured. Check logs for errors.
HTTP-01 challenge failing	Verify that the Ingress controller is correctly configured and accessible.
Certificate renewal failing	Check that Cert-Manager has permission to update the certificate Secret.

Summary

Cert-Manager automates TLS certificate provisioning and renewal in Thalassa Cloud Kubernetes, reducing manual intervention and improving security for applications.

Best Practices:

Use Let’s Encrypt or an internal CA to automate TLS management.
Monitor certificate expiration dates and renewals to prevent downtime.
Use ClusterIssuers for organization-wide certificate management.
Regularly review logs and events for troubleshooting certificate issues.

By leveraging Cert-Manager, teams can ensure secure, automated TLS encryption for applications running in Thalassa Cloud Kubernetes.

Additional Resources

CoreDNS