Skip to content

Instantly share code, notes, and snippets.

@thezawzaw

thezawzaw/automate-tls-ssl-certs-cert-manager.md

Last active October 9, 2025 05:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save thezawzaw/f6ec03d7e37628884cbf698966bc9e8f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save thezawzaw/f6ec03d7e37628884cbf698966bc9e8f to your computer and use it in GitHub Desktop.
Download ZIP
Automating TLS/SSL Cert Management with Cert-Manager on Kubernetes
Raw
automate-tls-ssl-certs-cert-manager.md

Automating TLS/SSL Cert Management with Cert-Manager on Kubernetes

This page describes how to setup Cert-manager and generate TLS/SSL certificates automatically using Cert-manager on Kubernetes.

Prerequisites

  • Kubernetes
  • Helm Package Manager Tool

Installation

Add the Cert-manager Helm repository:

$ helm repo add cert-manager https://charts.jetstack.io

Install the Cert-manager Helm chart:

$ helm install \
  cert-manager cert-manager/cert-manager \
  --set crds.enabled=true
  --create-namespace --namespace cert-manager

Automate Generating Selfsigned TLS/SSL Certs

Create a YAML manifest file named selfsigned-clusterissuer.yaml to install Cert-manager clusterissuer on the Kubernetes cluster.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-clusterissuer
spec:
  selfSigned: {}

Then, install it with the kubectl command-line tool.

$ kubectl apply -f selfsigned-clusterissuer.yaml

Then, use this cert-manager selfsigned-clusterissuer in your Ingress annotations to generate TLS/SSL secret automatically.

For example,

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: podinfo-dev
  namespace: dev
  annotations:
    # Required:
    # Use cert-manager clusterissuer you created previously.
    cert-manager.io/cluster-issuer: selfsigned-clusterissuer
    # Optional:
    # This is optional annotations to set common name and org name.
    cert-manager.io/common-name: podinfo-dev.example.io
    cert-manager.io/subject-organizations: "Org or Company Name"
spec:
  ingressClassName: nginx
  rules:
    - host: podinfo-dev.example.io
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: podinfo-dev
                port:
                  name: http
  tls:
    - hosts:
        - podinfo-dev.example.io
      # Just need to set the secret name
      # and then, cert-manager will automatically generate and manage this TLS secret.
      secretName: tls-secret-selfsigned-podinfo-io

Install this Ingress manifest with kubectl command-line tool. Then, Cert-manager will create the TLS secret you set automatically.

$ kubectl apply -f ingress-podinfo-dev.yaml
Successfully created Certificate "tls-secret-selfsigned-podinfo-io"

Certificate Information:

Common Name (CN): podinfo-dev.example.io
Issuer: podinfo-dev.example.io
Serial Number: 1f8d3d5523c1ff08ccb07435af1761d2
Not before: 2025-09-22T09:21:55+08:00
Expires: In 89d (2025-12-21T09:21:55+08:00)

How it Works

You just need to set the TLS secret name in Ingress and set your Cert-manager clusterissuer.

Then, Cert-manager will automatically generate and manage the TLS tls-secret-selfsigned-podinfo-io secret. And before expires, Cert-manager will renew the certificate automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment