Set Up cert-manager
Auto TLS.
Overview
cert-manager removes the entire class of expired-certificate incidents from Kubernetes operations. Certificates issue automatically from ACME, Vault, or internal CAs; renew before expiry; integrate with ingress through annotations. Every team that runs Kubernetes for long enough produces a cert-expiry incident; cert-manager is how the team stops producing them.
- Automated TLS. Issuance from ACME (Let’s Encrypt), Vault, or internal CAs. No human in the cert path.
- Renewal before expiry. Certs renew automatically. The 3am cert-expired page disappears.
- Certificate CRD. Declarative cert config. GitOps-friendly; reviewable in PRs.
- Issuer CRDs plus ingress integration. Per-namespace or cluster-wide issuers; ingress annotations trigger cert issuance automatically.
The approach
Three habits make cert-manager produce real TLS automation: install via Helm, Let’s Encrypt for public domains, internal CA for private services, and monitoring on cert expiry to catch automation failures.
helm install cert-manager. Standard Helm install. Starts the automation.- Let’s Encrypt for public domains. ACME-based issuance. Free, automated, modern.
- Internal CA for private. Vault PKI or a self-signed CA for internal services that should not have public certs.
- Ingress annotations plus expiry monitoring.
cert-manager.io/cluster-issuertriggers automation; alert if any cert nears expiry to catch automation failures early.
Why this compounds
Each automated cert removes operational toil. The team’s TLS hygiene improves; new services inherit the cert-manager pipeline on day one; the cert-expiry incident class disappears from the postmortem record.
- Cert incidents drop to zero. Automated rotation removes the entire class of expired-cert pages.
- Operational toil drops. No manual cert tracking. Engineering time stays on real work.
- TLS posture sharpens. All ingress paths have certs. Audit findings shrink.
- Year-one investment, year-two habit. First install is investment. By year two, cert-manager is part of every cluster template.