cert-manager automates X.509 certificate lifecycle management in Kubernetes using CRDs for Certificates, Issuers, and ClusterIssuers. Mastering ACME challenges and renewal automation is key for reliable HTTPS in Kubernetes.
0 / 5 completed
1 / 5
What is the relationship between a Certificate CRD and a Kubernetes Secret in cert-manager?
When cert-manager sees a Certificate resource, it requests a certificate from the specified Issuer and stores the resulting TLS certificate and private key in a Kubernetes Secret named by spec.secretName. Applications reference this Secret for TLS configuration. cert-manager automatically renews the certificate before expiry.
2 / 5
What is the difference between an Issuer and a ClusterIssuer in cert-manager?
An Issuer is namespaced — it can only issue certificates for Certificate resources in the same namespace. A ClusterIssuer is cluster-wide and can issue certificates requested from any namespace. ClusterIssuers are typically used for shared infrastructure CAs or Let's Encrypt configurations used across all namespaces.
3 / 5
A developer uses cert-manager with Let's Encrypt and specifies solvers: - dns01: cloudflare: in an Issuer. What challenge type is this, and why use it over HTTP-01?
DNS-01 validates domain ownership by creating a TXT record in the domain's DNS zone. It is required for wildcard certificates (e.g., *.example.com) since HTTP-01 cannot validate wildcards. It also works for clusters not exposed to the internet, as validation happens via DNS rather than an HTTP request to the cluster.
4 / 5
What does cert-manager's spec.renewBefore field in a Certificate resource control?
renewBefore tells cert-manager to begin renewing a certificate when it has less than the specified duration remaining before expiry. For example, renewBefore: 720h (30 days) starts renewal when 30 days remain. This ensures certificates are renewed well before expiry even if renewal fails and needs retries.
5 / 5
An engineer annotates a Kubernetes Ingress with cert-manager.io/cluster-issuer: letsencrypt-prod. What does cert-manager do automatically?
cert-manager's Ingress shim watches Ingress resources with cert-manager annotations. When it finds the cluster-issuer annotation, it automatically creates a Certificate resource for each TLS host defined in the Ingress, using the named ClusterIssuer. cert-manager then handles certificate issuance and renewal, populating the Secret referenced by the Ingress.