If you’ve ever run anything on Kubernetes, you know that “just running the app” is only half the battle. The other half is networking, and a huge part of that is securing your services with TLS (you know, the ‘S’ in HTTPS). Manually creating and renewing SSL certificates is a pain nobody should have to endure in the 21st century. It’s like churning your own butter.
This is where cert-manager enters the chat.
For the uninitiated, cert-manager is a native Kubernetes add-on that completely automates the management of your certificates. It’s the “set it and forget it” tool for TLS in your cluster. It watches for certificate needs, goes out and gets them from places like Let’s Encrypt, and shoves them into Kubernetes secrets for your Ingress controllers to use. And, most importantly, it renews them before they expire.
After using it for a while, I’ve gathered some thoughts on its highs and lows.
My Lab Configuration
For this test, I used the following: Physical 2 x Raspberry Pi5 2 x Raspberry Pi4 MSI NUC Mini PC 32 Cores 32GB RAM and 250GB NVME Router Dedicated 1GBps Network Switch
Logical 4 (2VMs) Master\Control Plane Nodes -running ubuntu with k3s 4 (2VMs) Worker Nodes -running ubuntu with k3s Proxmox K8s Cluster
Workloads/Services Cert Manager Nginx Prometheus ArgoCD
The Good Stuff (The Advantages)**
First off, cert-manager is amazing. The sheer convenience is a 10/10. Automation is King: This is the whole point. You define a Certificate or ClusterIssuer resource (a simple YAML file) once, and cert-manager handles the rest. No more calendar reminders to “RENEW THE BLOG CERTIFICATE.” It prevents outages caused by someone (definitely not me) forgetting to renew a cert.
It’s “Free” (as in, Beer): It works beautifully with Let’s Encrypt, which means you can get browser-trusted certificates for all your services at the low, low price of $0.00.
Plays Well with Ingress: The integration is seamless. You can literally just add a few annotations to your Ingress resource, and cert-manager will see it, get a cert, and configure the Ingress to use it. It’s magic.
Flexible Challenges: It supports the two main ways to prove you own a domain:
HTTP01: Super easy. It just spins up a temporary pod to answer a challenge on your domain.
DNS01: More complex, but it lets you get wildcard certificates (like *.your-cool-app.com). This is a huge win.
The “Gotchas” (The Drawbacks)**
Look, it’s not all sunshine and rainbows. The magic is great until the magic breaks.
Troubleshooting is… an Adventure: When it works, it’s invisible. When it fails, good luck. The controller logs are often a firehose of information, and not always helpful. The real way to debug is to use kubectl describe on your Certificate, CertificateRequest, and Order resources. This is where you’ll find the actual error message, like “Invalid new order :: JWS verification error.”
The False Sense of Security: It’s so easy to set up that you can get lulled into thinking you’ll never have to touch it again. But then, Let’s Encrypt has a rate limit you didn’t know about, or your DNS provider’s API key expires, and suddenly your certs aren’t renewing.
Configuration Can Be Fiddly: The HTTP01 challenge is easy, but it requires your service to be reachable on port 80. The DNS01 challenge is more powerful, but it means giving cert-manager an API key with permission to modify your DNS records, which can be a bit scary and complex to set up.
DNS Propagation Delays: A classic “it’s not cert-manager’s fault, but…” problem. When using the DNS01 challenge, you’re at the mercy of DNS propagation. Cert-manager will add the TXT record and then check, but if your DNS is slow to update, the check will fail.
The Verdict & Rating
So, should you use cert-manager?Absolutely. Yes. 100%. The drawbacks are really just “things you have to learn.” The pain of troubleshooting a failed CertificateRequest once every six months is infinitely smaller than the constant, nagging pain of manually managing certificates. It’s one of those essential tools for a modern Kubernetes stack. It solves a very annoying problem, it does it for free, and it does it reliably 99% of the time. Just be prepared to learn how to debug it for that other 1% of the time.
5/5
References
- Prometheus Documentation: https://prometheus.io/docs/introduction/overview/
- CNCF: https://landscape.cncf.io/?item=observability-and-analysis–observability–prometheus