Komodor is a Kubernetes management platform that empowers everyone from Platform engineers to Developers to stop firefighting, simplify operations and proactively improve the health of their workloads and infrastructure.
Proactively detect & remediate issues in your clusters & workloads.
Easily operate & manage K8s clusters at scale.
Reduce costs without compromising on performance.
Empower developers with self-service K8s troubleshooting.
Simplify and accelerate K8s migration for everyone.
Fix things fast with AI-powered root cause analysis.
Explore our K8s guides, e-books and webinars.
Learn about K8s trends & best practices from our experts.
Listen to K8s adoption stories from seasoned industry veterans.
The missing UI for Helm – a simplified way of working with Helm.
Visualize Crossplane resources and speed up troubleshooting.
Validate, clean & secure your K8s YAMLs.
Navigate the community-driven K8s ecosystem map.
Kubernetes 101: A comprehensive guide
Expert tips for debugging Kubernetes
Tools and best practices
Kubernetes monitoring best practices
Understand Kubernetes & Container exit codes in simple terms
Exploring the building blocks of Kubernetes
Cost factors, challenges and solutions
Kubectl commands at your fingertips
Understanding K8s versions & getting the latest version
Rancher overview, tutorial and alternatives
Kubernetes management tools: Lens vs alternatives
Troubleshooting and fixing 5xx server errors
Solving common Git errors and issues
Who we are, and our promise for the future of K8s.
Have a question for us? Write us.
Come aboard the K8s ship – we’re hiring!
Hear’s what they’re saying about Komodor in the news.
cert-manager is an open-source Kubernetes add-on that automates the management and issuance of x.509 certificates. It simplifies the process of securing applications by automatically obtaining and renewing TLS certificates from various certificate authorities (CAs).
This tool ensures that certificates are always up-to-date and valid, which is crucial for maintaining secure communications within a Kubernetes cluster.
cert-manager has over 11K GitHub stars, over 440 contributors, and has been managed by the Cloud Native Computing Foundation (CNCF) since 2020. In 2022, it was moved to the Incubating maturity level.
You can get cert-manager from the official GitHub repo.
Image source: GitHub
This is part of a series of articles about Kubernetes management
x.509 certificates and machine identities help ensure data integrity and confidentiality by encrypting the data transmitted between services in a Kubernetes cluster. Machine identities are used by devices and applications to prove their authenticity in automated processes, with x.509 certificates serving as proof.
x.509
Managing these certificates manually can be cumbersome and error-prone, especially considering that Kubernetes clusters are dynamic environments where services are frequently created and updated.
cert-manager is a Kubernetes add-on that automates the management and issuance of these certificates. By integrating directly with Kubernetes, cert-manager simplifies the process of obtaining, renewing, and deploying certificates from various certificate authorities (CAs). This automation reduces the administrative burden on developers and operators, ensuring that services within the cluster always have up-to-date and valid certificates.
Itiel Shwartz
Co-Founder & CTO
In my experience, here are tips that can help you better manage K8s machine identities with cert-manager:
Use `Issuer` for namespace-specific certificates and `ClusterIssuer` for cluster-wide certificates to maintain separation of concerns.
Define policies for certificate lifetimes, renewal windows, and key sizes to ensure compliance and security.
Use Kubernetes secrets to store CA credentials securely and ensure they are encrypted at rest and in transit.
Use Helm charts to automate cert-manager deployments, ensuring consistent and repeatable configurations across environments.
Integrate with external issuers like HashiCorp Vault for more flexible and secure certificate management.
Key features of cert-manager include:
cert-manager automates the process of issuing certificates by interacting with various CAs. When a certificate is needed, cert-manager generates a Certificate Signing Request (CSR) and submits it to the configured CA. Once the CA validates the request, it issues a certificate that cert-manager then makes available for use within the Kubernetes cluster. This process can be triggered by annotations on Kubernetes resources, allowing for seamless integration and automation.
cert-manager continuously monitors the expiration dates of certificates and automatically renews them before they expire. It uses predefined renewal periods to ensure that certificates are updated without manual intervention. This proactive approach prevents downtime and security risks associated with expired certificates, ensuring that applications remain secure and operational.
cert-manager supports the Automatic Certificate Management Environment (ACME) protocol, which is widely used for automating the process of obtaining SSL/TLS certificates. Through ACME, cert-manager can request certificates from ACME-compliant CAs, such as Let’s Encrypt. This support allows for the automated issuance and renewal of certificates, reducing the administrative burden of managing certificates manually.
cert-manager works seamlessly with Kubernetes, using Kubernetes resources to manage certificates. It integrates with Kubernetes Custom Resource Definitions (CRDs) to define certificates, issuers, and other related resources. This allows cert-manager to automatically inject certificates into Kubernetes secrets, which can then be used by other Kubernetes resources like Ingress controllers and pods, ensuring secure communication across the cluster.
cert-manager operates as a Kubernetes controller that continuously watches for certificate-related resources. When it detects a resource requiring a certificate, it follows these steps:
This tutorial is adapted from the official cert-manager documentation.
To use cert-manager, you need to have:
gcloud
kubectl
curl
First, initialize gcloud and set up your Google Cloud project by running gcloud init.
gcloud init
During initialization, set the default Compute Region and Zone. The command will display your project name, default region, and zone.
Compute Region
Zone
Export these values for later use:
export PROJECT=example-project export REGION=US-east-1
Create a Kubernetes cluster using the following commands:
export CLUSTER=test-cluster-1 gcloud container clusters create $CLUSTER --preemptible --num-nodes=1 gcloud components install gke-gcloud-auth-plugin export USE_GKE_GCLOUD_AUTH_PLUGIN=True gcloud container clusters get-credentials $CLUSTER
Verify cluster creation using:
kubectl get nodes -o wide
Start by deploying a sample web server and exposing it:
kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0kubectl expose deployment web --port=8080
Reserve a static IP address for your website:
gcloud compute addresses create web-ip --global gcloud compute addresses list gcloud compute addresses describe web-ip --format='value(address)' --global export IP_ADDRESS=194.20.100.1
Purchase a domain and create an A record pointing to your IP address. Save the domain name in an env variable:
A
env
export DOMAIN_NAME=myapp.net
Create an Ingress to route traffic to your web server:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: web-ingress annotations: kubernetes.io/ingress.class: gce kubernetes.io/ingress.allow-http: "true" kubernetes.io/ingress.global-static-ip-name: web-ip spec: defaultBackend: service: name: web port: number: 8080
Apply the Ingress configuration:
kubectl apply -f ingress.yaml
Verify connectivity:
curl http://$DOMAIN_NAME
Install cert-manager using kubectl:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml kubectl -n cert-manager get all
Create an Issuer Resource for the Staging ServerIn this example, we’ll be using a Let’s Encrypt’s staging environment. To create an Issuer for this environment:
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-staging spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory email: <my-email-address> privateKeySecretRef: name: letsencrypt-staging solvers: - http01: ingress: name: web-ingress
Apply the Issuer configuration:
kubectl apply -f issuer-lets-encrypt-staging.yaml
Create an empty secret for the SSL certificate:
apiVersion: v1 kind: Secret metadata: name: web-ssl type: kubernetes.io/tls stringData: tls.key: "" tls.crt: ""
Apply the secret configuration:
kubectl apply -f secret.yaml
Update the Ingress resource to use SSL:
# Update ingress.yaml metadata: annotations: cert-manager.io/issuer: letsencrypt-staging spec: tls: - secretName: web-ssl hosts: - $DOMAIN_NAME
Apply the updated Ingress configuration:
Verify the SSL connection:
curl -v --insecure https://$DOMAIN_NAME
Create an Issuer for the Let’s Encrypt’s production environment:
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-production spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: <my-email-address> privateKeySecretRef: name: letsencrypt-production solvers: - http01: ingress: name: web-ingress
Apply the production Issuer configuration:
kubectl apply -f issuer-lets-encrypt-production.yaml kubectl annotate ingress web-ingress cert-manager.io/issuer=letsencrypt-production --overwrite
Verify the production SSL certificate:
curl -v https://$DOMAIN_NAME
You should now be able to access your website securely via HTTPS.
Komodor is the Continuous Kubernetes Reliability Platform, designed to democratize K8s expertise across the organization and enable engineering teams to leverage its full value.
Komodor’s platform empowers developers to confidently monitor and troubleshoot their workloads while allowing cluster operators to enforce standardization and optimize performance. Specifically when working in a hybrid environment, Komodor reduces the complexity by providing a unified view of all your services and clusters.
By leveraging Komodor, companies of all sizes significantly improve reliability, productivity, and velocity. Or, to put it simply – Komodor helps you spend less time and resources on managing Kubernetes, and more time on innovating at scale.
If you are interested in checking out Komodor, use this link to sign up for a Free Trial.
Share:
How useful was this post?
Click on a star to rate it!
Average rating 5 / 5. Vote count: 5
No votes so far! Be the first to rate this post.
and start using Komodor in seconds!
