Configure cert-manager Issuers & ClusterIssuers for Secure Kubernetes
This guide walks you through the fundamentals of cert-manager in Kubernetes, explaining the difference between Issuer and ClusterIssuer, and provides step‑by‑step commands to create self‑signed, CA, and ACME issuers, verify them, and reference official documentation for secure certificate automation.
With the rise of cloud‑native technologies, ensuring the security of applications and services is essential. cert-manager is a popular tool that automates the management and renewal of TLS/SSL certificates.
Understanding Issuer and ClusterIssuer
Before starting, it is important to know the concepts of Issuer and ClusterIssuer :
Issuer is a namespace‑scoped resource that defines how certificate requests within a specific namespace should be handled.
ClusterIssuer is a cluster‑wide resource suitable for scenarios that require the same configuration across multiple namespaces.
For most cases, using a ClusterIssuer simplifies management and maintenance.
Creating Issuers (ClusterIssuer)
There are several ways to create issuer certificates:
Self‑signed issuer
CA issuer
ACME issuer
Self‑signed Issuer
1. Create a self‑signed ClusterIssuer:
<code>$ cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}
EOF</code>2. Verify the issuer:
<code>$ kubectl get clusterissuer selfsigned-cluster-issuer
NAME READY AGE
selfsigned-cluster-issuer True 25m</code>CA Issuer
1. Create a self‑signed issuer (same as above) to generate a CA certificate.
<code>$ cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}
EOF</code>2. Create a CA certificate:
<code>$ cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ca-clusterissuer-cert
namespace: kube-system
spec:
isCA: true
commonName: jiaxzeng_SelfsignedCa
secretName: ca-clusterissuer-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-cluster-issuer
kind: ClusterIssuer
group: cert-manager.io
EOF</code>3. View the CA certificate secret:
<code>$ kubectl -n kube-system get cert ca-clusterissuer-cert
NAME READY SECRET AGE
ca-clusterissuer-cert True ca-clusterissuer-secret 19s
$ kubectl -n kube-system get secret ca-clusterissuer-secret
NAME TYPE DATA AGE
ca-clusterissuer-secret kubernetes.io/tls 3 35s</code>4. Create the CA ClusterIssuer:
<code>$ cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ca-cluster-issuer
spec:
ca:
secretName: ca-clusterissuer-secret
EOF</code>5. Verify the CA ClusterIssuer:
<code>$ kubectl get clusterissuer ca-cluster-issuer
NAME READY AGE
ca-cluster-issuer True 12s</code>Reference Documentation
Self‑signed certificates: https://cert-manager.io/docs/configuration/selfsigned/
CA certificates: https://cert-manager.io/docs/configuration/ca/
ACME certificates: https://cert-manager.io/docs/configuration/acme/
By following these steps, you can configure an effective certificate management solution for your Kubernetes cluster, enhancing application security while reducing maintenance overhead.
Linux Ops Smart Journey
The operations journey never stops—pursuing excellence endlessly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.