# cert-manager/cert-manager **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/cert-manager-cert-manager).** 13,578 stars · 2,312 forks · Go · apache-2.0 ## Links - GitHub: https://github.com/cert-manager/cert-manager - Homepage: https://cert-manager.io - awesome-repositories: https://awesome-repositories.com/repository/cert-manager-cert-manager.md ## Topics `certificate` `crd` `hacktoberfest` `kubernetes` `letsencrypt` `tls` ## Description This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. It functions as a native extension to the cluster API, using custom resource definitions and reconciliation loops to maintain the desired state of certificates and trust bundles across distributed services. By integrating directly with the cluster's admission control and secret storage systems, it ensures that cryptographic identities are consistently provisioned and available for application workloads. The project distinguishes itself through its extensive support for automated domain validation and multi-provider integration. It orchestrates complex challenge processes—including those for private or split-horizon networks—to prove domain ownership without manual intervention. Beyond standard certificate management, it provides granular policy enforcement, allowing administrators to restrict issuance permissions, delegate certificate requests to specific service accounts, and enforce security requirements through custom metadata and issuer configurations. The platform covers a broad capability surface for securing network traffic and service communication. It supports diverse issuance workflows, ranging from public certificate authorities and ACME-based automation to private internal PKI infrastructures. The system also includes robust observability tools, such as operational metrics and status inspection, alongside administrative features for managing resource configurations, performing API migrations, and scaling controller components for high-availability environments. Installation and management are facilitated through standard cluster deployment workflows, with comprehensive command-line tools available for troubleshooting, configuration export, and lifecycle verification. ## Tags ### Security & Cryptography - [TLS Certificate Management](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management.md) — Automates the issuance, renewal, and lifecycle management of TLS certificates within Kubernetes clusters. - [ACME Validation Strategies](https://awesome-repositories.com/f/security-cryptography/cryptography/ssl-tls-certificate-management/automated-https-management/acme-validation-strategies.md) — Automates domain ownership verification using HTTP or DNS challenges for secure certificate issuance. - [Certificate Authority Management](https://awesome-repositories.com/f/security-cryptography/certificate-authority-management.md) — Establishes root certificates using self-signed logic to serve as the foundation for internal certificate authorities. ([source](https://cert-manager.io/docs/configuration/selfsigned/)) - [ACME Clients](https://awesome-repositories.com/f/security-cryptography/acme-clients.md) — Automates domain validation and certificate issuance using the ACME protocol for secure service communication. - [ACME Implementations](https://awesome-repositories.com/f/security-cryptography/acme-implementations.md) — Automates domain validation challenges using the ACME protocol to facilitate secure certificate issuance. - [Certificate Authorities](https://awesome-repositories.com/f/security-cryptography/certificate-authorities.md) — Connects to external certificate authorities to automate the issuance and renewal of TLS certificates. ([source](https://cert-manager.io/docs/configuration/venafi/)) - [Certificate Issuance Utilities](https://awesome-repositories.com/f/security-cryptography/certificate-issuance-utilities.md) — Defines certificate requirements like DNS names and key usages within resource definitions to drive issuance. ([source](https://cert-manager.io/docs/usage/certificate/)) - [Certificate Lifecycle Management](https://awesome-repositories.com/f/security-cryptography/certificate-lifecycle-management.md) — Automates the lifecycle of certificates by requesting them from configured issuers and storing keys in secure storage. ([source](https://cert-manager.io/docs/tutorials/venafi/venafi/)) - [Certificate Signing Request Managers](https://awesome-repositories.com/f/security-cryptography/certificate-signing-request-managers.md) — Validates and authorizes certificate issuance requests before processing to ensure only permitted entities obtain certificates. ([source](https://cert-manager.io/docs/policy/approval/)) - [SSL/TLS Certificate Management](https://awesome-repositories.com/f/security-cryptography/cryptography/ssl-tls-certificate-management.md) — Automates the generation and maintenance of TLS certificates for network gateways via resource annotations. ([source](https://cert-manager.io/docs/usage/gateway/)) - [DNS Validation Tools](https://awesome-repositories.com/f/security-cryptography/dns-validation-tools.md) — Automates domain ownership proof by updating DNS records through external provider APIs. ([source](https://cert-manager.io/docs/configuration/acme/dns01/)) - [Automated Key Rotations](https://awesome-repositories.com/f/security-cryptography/key-management/automated-key-rotations.md) — Updates the private key associated with a certificate during reissuance to maintain security and ensure zero-downtime transitions. ([source](https://cert-manager.io/docs/usage/certificate/)) - [PKI Management](https://awesome-repositories.com/f/security-cryptography/pki-management.md) — Manages private certificate authorities and issues internal TLS certificates for secure microservice communication. - [Certificate Trust Managers](https://awesome-repositories.com/f/security-cryptography/security/utilities/certificate-trust-managers.md) — Synchronizes certificate authority bundles across cluster namespaces to ensure consistent validation environments. ([source](https://cert-manager.io/docs/trust/trust-manager/)) - [TLS Certificate Management](https://awesome-repositories.com/f/security-cryptography/tls-certificate-management.md) — Assigns wildcard certificates to ingress controllers to provide automatic TLS termination for services. ([source](https://cert-manager.io/docs/devops-tips/syncing-secrets-across-namespaces/)) - [Ephemeral Volume Mounts](https://awesome-repositories.com/f/security-cryptography/certificate-issuance-utilities/ephemeral-certificate-issuance/ephemeral-volume-mounts.md) — Mounts unique TLS certificates directly into pods as ephemeral volumes, ensuring the certificate lifecycle is tied to the pod. ([source](https://cert-manager.io/docs/usage/)) - [Certificate Renewal Managers](https://awesome-repositories.com/f/security-cryptography/certificate-renewal-managers.md) — Enables manual triggering of certificate renewals to bypass standard automated schedules. ([source](https://cert-manager.io/docs/reference/cmctl/)) - [Key Generation Tools](https://awesome-repositories.com/f/security-cryptography/cryptography/key-generation-tools.md) — Stores generated certificates in cluster secrets or provides on-demand key generation to prevent sensitive material from leaving the host. ([source](https://cert-manager.io/docs/)) - [DNS Validation Providers](https://awesome-repositories.com/f/security-cryptography/dns-validation-providers.md) — Integrates with external DNS providers via webhooks to perform domain ownership challenges. - [Mutual TLS Authentication](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/machine-and-protocol-identity/specialized-authentication-protocols/mutual-tls-authentication.md) — Delivers unique certificates and private keys to pods to enable secure mutual TLS identity verification. ([source](https://cert-manager.io/docs/usage/csi-driver-spiffe/)) - [Infrastructure Policy Enforcement](https://awesome-repositories.com/f/security-cryptography/infrastructure-policy-enforcement.md) — Standardizes certificate properties and restricts request permissions to ensure consistent infrastructure management. ([source](https://cert-manager.io/docs/policy/)) - [Machine Identity Authentication](https://awesome-repositories.com/f/security-cryptography/machine-identity-authentication.md) — Uses managed identities and service account credentials to securely authorize DNS record management and certificate signing requests. ([source](https://cert-manager.io/docs/configuration/acme/dns01/azuredns/)) - [Mutual TLS Configurations](https://awesome-repositories.com/f/security-cryptography/mutual-tls-configurations.md) — Secures connections between the controller and signing authority by requiring client certificate presentation during the handshake. ([source](https://cert-manager.io/docs/configuration/vault/)) - [SSL Certificate Issuers](https://awesome-repositories.com/f/security-cryptography/ssl-certificate-issuers.md) — Updates certificate issuer references dynamically via configuration maps without requiring redeployment. ([source](https://cert-manager.io/docs/usage/csi-driver-spiffe/)) - [Workload Delegations](https://awesome-repositories.com/f/security-cryptography/authorization-policies/authorization-policy-enforcement/workload-delegations.md) — Authorizes individual service accounts to request their own certificates, enabling granular policy enforcement for specific workloads. ([source](https://cert-manager.io/docs/usage/csi-driver/)) - [Automated Certificate Management Systems](https://awesome-repositories.com/f/security-cryptography/automated-certificate-management-systems.md) — Watches ingress resources for annotations and automatically creates or manages certificate resources to secure traffic. ([source](https://cert-manager.io/docs/usage/ingress/)) - [Certificate Authority Configurations](https://awesome-repositories.com/f/security-cryptography/certificate-authority-configurations.md) — Populates webhook and API service configurations with certificate authority data for secure verification. ([source](https://cert-manager.io/docs/concepts/ca-injector/)) - [Issuer Access Controls](https://awesome-repositories.com/f/security-cryptography/domain-access-restrictions/request-access-restrictions/api-access-restrictions/issuer-access-controls.md) — Validates user permissions via access reviews before allowing the use of specific certificate issuers. ([source](https://cert-manager.io/docs/usage/kube-csr/)) - [CSI Drivers](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management/csi-drivers.md) — Injects TLS certificates directly into pod volumes through a storage interface, bypassing manual secret storage. ([source](https://cert-manager.io/docs/usage/csi-driver/)) - [PKI Automation](https://awesome-repositories.com/f/security-cryptography/pki-automation.md) — Connects Kubernetes workloads to internal and external certificate authorities for automated identity provisioning. - [Secret Management Integrations](https://awesome-repositories.com/f/security-cryptography/secret-management-integrations.md) — Integrates with external secret management systems to securely request and sign TLS certificates. ([source](https://cert-manager.io/docs/configuration/ca/)) - [Secret Synchronization Tools](https://awesome-repositories.com/f/security-cryptography/secret-management/secret-synchronization-tools.md) — Distributes and synchronizes TLS certificates and trust bundles across multiple namespaces to ensure consistent application security. - [Secret Storage](https://awesome-repositories.com/f/security-cryptography/secret-storage.md) — Uses native cluster secrets to securely store private keys and certificate bundles. - [ACME Challenge Servers](https://awesome-repositories.com/f/security-cryptography/acme-challenge-servers.md) — Customizes execution environments and network settings for processes responsible for solving domain validation challenges. ([source](https://cert-manager.io/docs/cli/controller/)) - [Self-Signed Generators](https://awesome-repositories.com/f/security-cryptography/certificate-authorities/client-certificate-generators/self-signed-generators.md) — Generates self-signed certificates for bootstrapping local environments and ad-hoc testing. ([source](https://cert-manager.io/docs/configuration/selfsigned/)) - [Certificate Management](https://awesome-repositories.com/f/security-cryptography/certificate-management.md) — Enables developers to request and maintain TLS certificates independently without administrative gateway access. ([source](https://cert-manager.io/docs/usage/gateway/)) - [Certificate Verification](https://awesome-repositories.com/f/security-cryptography/certificate-verification.md) — Validates system operational status by performing automated test issuance and provisioning. ([source](https://cert-manager.io/docs/installation/kubectl/)) - [Certificate Authority Management](https://awesome-repositories.com/f/security-cryptography/cryptography/ssl-tls-certificate-management/certificate-authority-management.md) — Allows specification of preferred certificate chains to support transitions between root certificate providers. ([source](https://cert-manager.io/docs/configuration/acme/)) - [Secret Management](https://awesome-repositories.com/f/security-cryptography/secret-management.md) — Manages and synchronizes TLS certificates and private keys as secure Kubernetes secrets for application use. - [Distribution Restrictions](https://awesome-repositories.com/f/security-cryptography/security/utilities/certificate-trust-managers/distribution-restrictions.md) — Limits trust bundle propagation to specific namespaces using label selectors to ensure certificates are only available where required. ([source](https://cert-manager.io/docs/trust/trust-manager/)) - [Secret Access Policies](https://awesome-repositories.com/f/security-cryptography/security/utilities/secret-and-credential-managers/secret-access-policies.md) — Determines whether cluster-wide issuers can utilize ambient environment credentials or require explicit configuration for authentication. ([source](https://cert-manager.io/docs/cli/controller/)) ### DevOps & Infrastructure - [Kubernetes Controllers](https://awesome-repositories.com/f/devops-infrastructure/kubernetes-controllers.md) — Provides a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. - [Control Loops](https://awesome-repositories.com/f/devops-infrastructure/control-loops.md) — Maintains the desired state of certificates through continuous reconciliation loops within the cluster. - [Ingress Controllers](https://awesome-repositories.com/f/devops-infrastructure/ingress-controllers.md) — Applies issued TLS certificates to ingress resources to enable encrypted communication for applications exposed to external traffic. ([source](https://cert-manager.io/docs/tutorials/venafi/venafi/)) - [Cluster Management](https://awesome-repositories.com/f/devops-infrastructure/cluster-management.md) — Automates the deployment and lifecycle management of certificate management components in a cluster. ([source](https://cert-manager.io/docs/installation/kubectl/)) - [Custom Resource Definitions](https://awesome-repositories.com/f/devops-infrastructure/custom-resource-definitions.md) — Extends the cluster API with custom resources to manage certificate and issuer lifecycles. - [Configuration and Policy Enforcement](https://awesome-repositories.com/f/devops-infrastructure/infrastructure/configuration-policy-enforcement.md) — Enforces standardized configurations on certificate requests using admission control policies. ([source](https://cert-manager.io/docs/tutorials/certificate-defaults/)) - [Component Scaling](https://awesome-repositories.com/f/devops-infrastructure/cluster-scaling-orchestrators/component-scaling.md) — Configures multiple controller replicas to ensure high availability and resilience. ([source](https://cert-manager.io/docs/installation/best-practice/)) - [Extensible Provider Frameworks](https://awesome-repositories.com/f/devops-infrastructure/extensible-provider-frameworks.md) — Supports registration of custom external controllers to integrate with specialized certificate services. ([source](https://cert-manager.io/docs/configuration/issuers/)) ### Networking & Communication - [Admission Webhooks](https://awesome-repositories.com/f/networking-communication/proxy-servers/proxy-enforcement/injection-enforcement/admission-webhooks.md) — Intercepts and validates resource creation requests to enforce security policies before persistence. - [Challenge Delegation](https://awesome-repositories.com/f/networking-communication/dns-record-updaters/challenge-delegation.md) — Follows CNAME records to update less-privileged DNS zones, allowing certificate issuance without granting full access to the primary domain. ([source](https://cert-manager.io/docs/configuration/acme/dns01/)) - [Ingress Controllers](https://awesome-repositories.com/f/networking-communication/ingress-controllers.md) — Generates and manages certificates for ingress resources by monitoring annotations and applying default issuer configurations. ([source](https://cert-manager.io/docs/reference/api-docs/)) ### Software Engineering & Architecture - [Certificate Request Approvals](https://awesome-repositories.com/f/software-engineering-architecture/approval-workflows/automated-approval-rules/certificate-request-approvals.md) — Enforces granular access control over who can approve or deny certificate requests based on the specific issuer referenced. ([source](https://cert-manager.io/docs/usage/certificaterequest/)) ### System Administration & Monitoring - [Custom](https://awesome-repositories.com/f/system-administration-monitoring/dns-resolvers/custom.md) — Overrides default system nameservers to ensure domain validation succeeds in private network configurations. ([source](https://cert-manager.io/docs/configuration/acme/dns01/)) - [Service Metrics Monitoring](https://awesome-repositories.com/f/system-administration-monitoring/service-metrics-monitoring.md) — Publishes internal component health and activity data in a standard format for external monitoring systems. ([source](https://cert-manager.io/docs/devops-tips/prometheus-metrics/))