cert-manager
Kubernetes-native certificate management and automatic TLS. cert-manager automates the issuance, rotation, and management of X.509 TLS certificates in Kubernetes clusters. Integrates with Let's Encrypt (free certificates), Vault PKI, self-signed issuers, and private CAs via Certificate and Issuer Kubernetes CRDs. Used in virtually every production Kubernetes cluster to eliminate manual certificate management and prevent certificate expiry outages. CNCF graduated project.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Apache 2.0, CNCF graduated. Mature project with strong security track record. Private keys stored in Kubernetes Secrets — ensure etcd encryption at rest. Let's Encrypt provides trusted public CA. Vault PKI integration for private CAs.
⚡ Reliability
Best When
You run Kubernetes and need automatic TLS certificate lifecycle management for Ingress resources, service mesh mTLS, or internal services.
Avoid When
You're not using Kubernetes — Certbot or cloud-native certificate managers (AWS ACM) are more appropriate.
Use Cases
- • Automatically provision and renew Let's Encrypt TLS certificates for Kubernetes Ingress resources — no more manual certificate management
- • Issue internal cluster certificates from Vault PKI or a private CA for service-to-service TLS (mTLS)
- • Automatically rotate certificates before expiry without human intervention — prevent certificate expiry outages
- • Provision certificates for Ingress controllers (nginx, Traefik) via cert-manager annotations — developers declare desired certificate in YAML
- • Issue SPIFFE/X.509 certificates for workload identity using SPIRE integration
Not For
- • Non-Kubernetes environments — cert-manager is Kubernetes-native; use Certbot or HashiCorp Vault directly for non-K8s environments
- • Code signing certificates or advanced certificate types — cert-manager focuses on TLS/mTLS certificates
- • Certificate discovery and inventory outside Kubernetes — cert-manager manages certs it issues, not pre-existing external certs
Interface
Authentication
cert-manager interfaces via Kubernetes CRDs — Kubernetes RBAC is the auth model. Certificate issuance uses ACME (Let's Encrypt), Vault tokens, or cloud IAM for DNS validation. No cert-manager-specific auth.
Pricing
Apache 2.0, CNCF graduated. Completely free. Let's Encrypt certificates are also free. Enterprise support from Venafi and other vendors.
Agent Metadata
Known Gotchas
- ⚠ Let's Encrypt rate limits (50 cert/domain/week) can block issuance in high-churn environments — use staging endpoint for testing
- ⚠ HTTP-01 ACME challenge requires public HTTP access to port 80 — clusters without public ingress must use DNS-01 challenge
- ⚠ DNS-01 challenge requires cert-manager access to DNS provider API — configure appropriate cloud IAM for Route53, CloudDNS, etc.
- ⚠ Certificate issuance is async — creating Certificate resource doesn't mean immediately ready; poll status.conditions.Ready
- ⚠ Wildcard certificates require DNS-01 challenge — HTTP-01 cannot issue wildcard certs
- ⚠ cert-manager controller needs ClusterRole access to manage secrets — ensure RBAC is correct before installation
- ⚠ cert-manager annotation vs native Certificate resource — Ingress annotations auto-create Certificates; both methods work but have different lifecycle semantics
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for cert-manager.
Scores are editorial opinions as of 2026-03-06.