SSL/TLS Module (Cert-Manager)

Complete guide to deploying and managing SSL/TLS certificates with automatic renewal, Let’s Encrypt integration, and certificate lifecycle management.

🏗️ Overview

The Cert-Manager module provides automated certificate management for Kubernetes clusters. It handles the issuance, renewal, and lifecycle management of SSL/TLS certificates from various certificate authorities, with seamless integration to Let’s Encrypt for free certificates.

Architecture Components

Cert-Manager Deployment:
├── Cert-Manager Controller
├── Webhook Server
├── CA Injector
├── Cluster Issuers
├── Certificate Resources
├── HTTP-01 Challenge Solver
└── DNS-01 Challenge Solver

🚀 Features

Automated Certificate Management

Automatic Issuance: Request and obtain certificates automatically
Auto-Renewal: Proactive certificate renewal before expiration
Lifecycle Management: Complete certificate lifecycle handling
Multiple CAs: Support for Let’s Encrypt, self-signed, and custom CAs

Let’s Encrypt Integration

Free Certificates: Zero-cost SSL/TLS certificates
HTTP-01 Challenges: Domain validation via HTTP challenges
DNS-01 Challenges: Domain validation via DNS challenges
Rate Limiting: Built-in rate limit handling

Advanced Features

Wildcard Certificates: Support for wildcard domain certificates
Certificate Storage: Secure certificate storage in Kubernetes secrets
Monitoring: Certificate status monitoring and alerting
Webhook Integration: Custom validation and approval workflows

📦 Deployment Configuration

Helmfile Configuration

The Cert-Manager deployment uses Helmfile for environment management:

repositories:
  - name: jetstack
    url: "https://charts.jetstack.io"

releases:
  - name: cert-manager
    namespace: cert-manager
    createNamespace: true
    chart: jetstack/cert-manager
    version: v1.17.2

  - name: issuer
    chart: ./ssl-middleware
    namespace: default
    values:
      - email: [email protected]

Core Configuration Values

email: [email protected]

Cluster Issuer Configuration

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
  annotations:
    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "0"
spec:
  acme:
    email: { { .Values.email } }
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            ingressClassName: traefik

Middleware Configuration

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
spec:
  redirectScheme:
    scheme: https
    permanent: true

🔧 Certificate Configuration

Certificate Resource

# Example certificate request
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: myapp-cert
  namespace: default
spec:
  secretName: myapp-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - myapp.example.com
    - www.myapp.example.com
  duration: 2160h # 90 days
  renewBefore: 360h # 15 days

Ingress Integration

# Ingress with automatic certificate
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-ingress
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt"
    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  tls:
    - hosts:
        - myapp.example.com
      secretName: myapp-tls
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: myapp-service
                port:
                  number: 80

Wildcard Certificate

# Wildcard certificate with DNS-01 challenge
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-cert
spec:
  secretName: wildcard-tls
  issuerRef:
    name: letsencrypt-dns
    kind: ClusterIssuer
  dnsNames:
    - "*.example.com"
    - example.com

📊 Monitoring & Metrics

Health Checks

# Check Cert-Manager service status
kubectl get pods -n cert-manager -l app.kubernetes.io/name=cert-manager

# Check service endpoints
kubectl get endpoints -n cert-manager -l app.kubernetes.io/name=cert-manager

# Test Cert-Manager API
kubectl get crd | grep cert-manager

Certificate Status

# List all certificates
kubectl get certificates --all-namespaces

# Check certificate status
kubectl describe certificate myapp-cert -n default

# View certificate events
kubectl get events --field-selector involvedObject.name=myapp-cert -n default

# Check certificate secret
kubectl get secret myapp-tls -n default -o yaml

Cluster Issuer Status

# List cluster issuers
kubectl get clusterissuer

# Check issuer status
kubectl describe clusterissuer letsencrypt

# View issuer events
kubectl get events --field-selector involvedObject.name=letsencrypt

Performance Monitoring

# Check resource usage
kubectl top pods -n cert-manager -l app.kubernetes.io/name=cert-manager

# Monitor certificate renewals
kubectl get events --field-selector reason=Renewed -n default

# Check for failed certificate requests
kubectl get events --field-selector reason=Failed -n default

Log Analysis

# View Cert-Manager logs
kubectl logs -n cert-manager -l app.kubernetes.io/name=cert-manager

# Follow logs in real-time
kubectl logs -f -n cert-manager deployment/cert-manager

# Check for errors
kubectl logs -n cert-manager -l app.kubernetes.io/name=cert-manager | grep ERROR

🚀 Deployment

Deploy Cert-Manager Module

# Navigate to module directory
cd iac/modules/cert-manager

# Install CRDs first
task install

# Deploy using Helmfile
helmfile apply

# Verify deployment
kubectl get pods -n cert-manager
kubectl get pods -n default -l app.kubernetes.io/name=issuer

Verify Deployment

# Check pod status
kubectl get pods -n cert-manager -l app.kubernetes.io/name=cert-manager

# Verify CRDs installed
kubectl get crd | grep cert-manager

# Check cluster issuer
kubectl get clusterissuer letsencrypt

# Test certificate issuance
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert
spec:
  secretName: test-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - test.example.com
EOF

Post-Deployment Setup

# Verify cluster issuer is ready
kubectl describe clusterissuer letsencrypt

# Check for any pending certificates
kubectl get certificates --all-namespaces

# Monitor certificate events
kubectl get events --field-selector involvedObject.kind=Certificate

🔧 Maintenance Operations

Certificate Management

# List all certificates
kubectl get certificates --all-namespaces

# Check certificate details
kubectl describe certificate myapp-cert -n default

# Force certificate renewal
kubectl patch certificate myapp-cert -n default -p '{"spec":{"renewBefore":"720h"}}'

# Delete certificate
kubectl delete certificate myapp-cert -n default

Cluster Issuer Management

# List cluster issuers
kubectl get clusterissuer

# Update cluster issuer
kubectl patch clusterissuer letsencrypt -p '{"spec":{"acme":{"email":"[email protected]"}}}'

# Check issuer status
kubectl describe clusterissuer letsencrypt

Certificate Cleanup

# List all certificate secrets
kubectl get secrets --all-namespaces | grep tls

# Clean up expired certificates
kubectl get certificates --all-namespaces -o json | \
  jq '.items[] | select(.status.conditions[].status == "False") | .metadata.name'

# Delete unused certificate secrets
kubectl delete secret unused-tls -n default

Update Operations

# Update Cert-Manager version
helmfile apply

# Monitor update progress
kubectl rollout status deployment/cert-manager -n cert-manager

# Rollback if needed
kubectl rollout undo deployment/cert-manager -n cert-manager

🚨 Troubleshooting

Common Issues

1. Certificate Issuance Problems

# Check certificate status
kubectl describe certificate myapp-cert -n default

# View certificate events
kubectl get events --field-selector involvedObject.name=myapp-cert -n default

# Check challenge status
kubectl get challenges --all-namespaces

# Verify ingress configuration
kubectl describe ingress myapp-ingress -n default

2. HTTP-01 Challenge Issues

# Check challenge pod
kubectl get pods --all-namespaces | grep cm-acme-http-solver

# Check challenge service
kubectl get services --all-namespaces | grep cm-acme-http-solver

# Verify ingress configuration
kubectl get ingress --all-namespaces -o yaml | grep -A 10 -B 10 cm-acme-http-solver

# Test challenge endpoint
curl -I http://myapp.example.com/.well-known/acme-challenge/test

3. DNS-01 Challenge Issues

# Check DNS provider configuration
kubectl describe clusterissuer letsencrypt-dns

# Verify DNS records
dig TXT _acme-challenge.example.com

# Check DNS provider credentials
kubectl get secret cloudflare-api-token -n cert-manager -o yaml

4. Rate Limiting Issues

# Check Let's Encrypt rate limits
kubectl get events --field-selector reason=RateLimited

# Monitor certificate requests
kubectl get certificates --all-namespaces

# Check for duplicate requests
kubectl get orders --all-namespaces

Recovery Procedures

Emergency Recovery

# Force delete stuck certificates
kubectl delete certificate myapp-cert -n default --grace-period=0 --force

# Restart Cert-Manager
kubectl rollout restart deployment/cert-manager -n cert-manager

# Clear challenge resources
kubectl delete challenges --all --all-namespaces
kubectl delete orders --all --all-namespaces

# Verify recovery
kubectl get certificates --all-namespaces

🔒 Security Configuration

Network Security

# Network policy for Cert-Manager
networkPolicy:
  enabled: true
  allowExternal: true
  egressRules:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.0.0.0/8
              - 172.16.0.0/12
              - 192.168.0.0/16

RBAC Configuration

# Service account permissions
serviceAccount:
  create: true
  annotations: {}
  automountServiceAccountToken: true

# RBAC rules
rbac:
  create: true
  rules:
    - apiGroups: ["cert-manager.io"]
      resources: ["certificates", "certificaterequests", "issuers"]
      verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Certificate Security

# Certificate security settings
certificate:
  duration: 2160h # 90 days
  renewBefore: 360h # 15 days
  keyAlgorithm: RSA
  keySize: 2048
  keyEncoding: PKCS1

📝 Configuration Examples

Production Configuration

# Production-ready configuration
replicaCount: 2

resources:
  requests:
    memory: 256Mi
    cpu: 100m
  limits:
    memory: 512Mi
    cpu: 200m

# High availability
podDisruptionBudget:
  enabled: true
  minAvailable: 1

# Monitoring
metrics:
  enabled: true
  serviceMonitor:
    enabled: true

Staging Configuration

# Staging environment with Let's Encrypt staging
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            ingressClassName: traefik

Custom CA Configuration

# Custom certificate authority
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: custom-ca
spec:
  ca:
    secretName: custom-ca-secret

🔄 Maintenance Schedule

Daily Tasks

Monitor certificate status
Check for failed renewals
Review certificate events
Verify cluster health

Weekly Tasks

Analyze certificate metrics
Review certificate inventory
Update issuer configurations
Check for updates

Monthly Tasks

Certificate inventory audit
Security review
Performance optimization
Disaster recovery testing

📋 Operational Checklist

Pre-Deployment

Post-Deployment

Regular Maintenance

Ingress Configuration - SSL/TLS integration
Security Guide - Certificate security
Monitoring Guide - Certificate monitoring
Troubleshooting Guide - Certificate issues

The Cert-Manager SSL/TLS module provides automated certificate management with Let’s Encrypt integration and comprehensive lifecycle management.