container-security
📋 Copy All Cert-Manager Commands
📄 Generate Cert-Manager PDF Guide
Plattform
Befehl
kubectl (Static Manifests) kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
Helm (Recommended) helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
macOS (cmctl CLI) brew install cmctl
Linux (cmctl CLI) curl -sSL https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cmctl-linux-amd64.tar.gz \ | tar xz && sudo mv cmctl /usr/local/bin
Windows (cmctl CLI) curl.exe -L -o cmctl.exe https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cmctl-windows-amd64.exe
Verify Installation kubectl get pods -n cert-manager
# Add Jetstack Helm repository
repo add jetstack https://charts.jetstack.io
# Update repository
repo update
# Install with custom values
install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.13.3 \
--values custom-values.yaml
``` ## Installation
| Befehl | Beschreibung |
| ---------| -------------|
| ` kubectl get certificates` | Alle Zertifikate im aktuellen Namespace auflisten |
| ` kubectl get certificates -A` | Zertifikate über alle Namespaces auflisten |
| ` kubectl describe certificate <name>` | Detaillierte Zertifikatsinformationen anzeigen |
| ` kubectl get certificate <name> -o yaml` | Zertifikat im YAML-Format anzeigen |
| ` kubectl get issuer` | Alle Aussteller im aktuellen Namespace auflisten |
| ` kubectl get clusterissuer` | Alle clusterweiten Issuer auflisten |
| ` kubectl describe issuer <name>` | Detaillierte Aussteller-Informationen anzeigen |
| ` kubectl get certificaterequest` | Zertifikatanfragen auflisten |
| ` kubectl get order` | ACME-Zertifikatsbestellungen anzeigen |
| ` kubectl get challenge` | ACME-Herausforderungen zur Domainvalidierung anzeigen |
| ` kubectl logs -n cert-manager deployment/cert-manager` | cert-manager Controller-Logs anzeigen |
| ` kubectl logs -n cert-manager deployment/cert-manager-webhook` | Webhook-Logs anzeigen |
| ` kubectl logs -n cert-manager deployment/cert-manager-cainjector` | CA Injector-Logs anzeigen |
| ` cmctl check api` | Überprüfen Sie, ob die cert-manager API verfügbar ist |
| ` cmctl version` | Zeige cert-manager Versionsinformationen |
| ` cmctl status certificate <name>` | Zertifikatsstatus und -bereitschaft prüfen |
| ` cmctl inspect secret <secret-name>` | TLS-Geheimnis untersuchen, das von cert-manager erstellt wurde |
| ` cmctl renew <cert-name>` | Zertifikaterneuerung manuell auslösen |
| ` kubectl get crd \ | grep cert-manager` | Auflisten aller cert-manager Custom Resource Definitions |
| ` kubectl get events --field-selector involvedObject.name= <cert-name>` | Ereignisse anzeigen, die mit einem bestimmten Zertifikat zusammenhängen | ### Helm Repository Setup
| Befehl | Beschreibung |
| ---------| -------------|
| ` cmctl approve <certificaterequest-name>` | Zertifikatanfrage manuell genehmigen |
| ` cmctl deny <certificaterequest-name>` | Zertifikatanfrage ablehnen |
| ` cmctl create certificaterequest test --from-certificate-file= cert.yaml` | Zertifikatanfrage aus Datei erstellen |
| ` cmctl convert --output-format= pem --input-file= cert.yaml` | Zertifikat in PEM-Format konvertieren |
| ` cmctl experimental create acmeaccount --server= <url> --email= <email>` | ACME-Konto-Registrierung testen |
| ` kubectl annotate certificate <name> cert-manager.io/issue-temporary-certificate= "true" --overwrite` | Sofortige Zertifikatserneuerung erzwingen |
| ` kubectl delete certificaterequest <name>` | Fehlgeschlagene Zertifikatsanfrage entfernen |
| ` kubectl delete order <name>` | ACME-Bestellung löschen |
| ` kubectl delete challenge <name>` | Stuck ACME-Challenge entfernen |
| ` kubectl get certificate <name> -o jsonpath = '{.status.conditions}' ` | Zertifikatsstatus-Bedingungen extrahieren |
| ` kubectl get secret <tls-secret> -o jsonpath = '{.data.tls\.crt}' \ | base64 -d \ | openssl x509 -text -noout` | Zertifikat entschlüsseln und Details anzeigen |
| ` kubectl get secret <tls-secret> -o jsonpath = '{.data.tls\.crt}' \ | base64 -d \ | openssl x509 -noout -dates` | Zertifikatsablaufdaten überprüfen |
| ` helm upgrade cert-manager jetstack/cert-manager --namespace cert-manager --version v1.13.3` | Upgrade cert-manager auf neue Version |
| ` kubectl rollout restart deployment -n cert-manager` | Starten Sie alle cert-manager-Komponenten neu |
| ` kubectl scale deployment cert-manager -n cert-manager --replicas= 2 ` | Skalieren von cert-manager für Hochverfügbarkeit |
| ` kubectl get certificate --watch` | Zertifikatsstatus-Änderungen in Echtzeit beobachten |
| ` kubectl patch certificate <name> --type merge -p '{"spec":{"renewBefore":"720h"}}' ` | Zertifikaterneuerungsfenster ändern |
| ` kubectl delete secret <tls-secret>` | Zertifikatgeheimnis löschen ( löst Neuerstellen aus) |
| ` cmctl experimental install` | Installieren Sie cert-manager mit dem cmctl-Tool |
| ` cmctl experimental uninstall` | cert-manager deinstallieren und Ressourcen bereinigen | ## Grundlegende Befehle
``` yaml
cert-manager.io/v1
ClusterIssuer
name: selfsigned-issuer
selfSigned: {}
``` ## Erweiterte Nutzung
``` yaml
cert-manager.io/v1
ClusterIssuer
name: letsencrypt-staging
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
``` ## Konfiguration
``` yaml
cert-manager.io/v1
ClusterIssuer
name: letsencrypt-prod
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
cloudDNS:
project: my-gcp-project
serviceAccountSecretRef:
name: clouddns-dns01-solver
key: key.json
``` ### Selbstsignierter ClusterIssuer
``` yaml
cert-manager.io/v1
Issuer
name: ca-issuer
namespace: default
ca:
secretName: ca-key-pair
``` ### CA Issuer (Interne PKI)
``` yaml
cert-manager.io/v1
Certificate
name: example-com
namespace: default
secretName: example-com-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
- www.example.com
duration: 2160h # 90 days
renewBefore: 360h # 15 days before expiry
``` ### Zertifikatsressource
``` yaml
cert-manager.io/v1
Certificate
name: wildcard-cert
namespace: default
secretName: wildcard-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- "*.example.com"
- example.com
``` ### Wildcard-Zertifikat
``` yaml
cert-manager.io/v1
Issuer
name: vault-issuer
namespace: default
vault:
server: https://vault.example.com
path: pki/sign/example-dot-com
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: cert-manager
secretRef:
name: vault-token
key: token
``` ### Vault Issuer
``` yaml
# custom-values.yaml
true
2
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
enabled: true
servicemonitor:
enabled: true
replicaCount: 2
replicaCount: 2
``` ### Helm-Werte-Konfiguration
``` bash
# Create ClusterIssuer
apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
EOF
# Create Ingress with TLS annotation
apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
secretName: example-com-tls
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
EOF
# Verify certificate creation
get certificate
describe certificate example-com-tls
``` ## Häufige Anwendungsfälle
``` bash
# Create self-signed CA
apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-ca
namespace: cert-manager
spec:
isCA: true
commonName: my-ca
secretName: my-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
EOF
# Create CA issuer from generated CA
apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: my-ca-issuer
spec:
ca:
secretName: my-ca-secret
EOF
# Issue service certificates
apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: service-a-cert
namespace: default
spec:
secretName: service-a-tls
duration: 8760h
renewBefore: 720h
subject:
organizations:
- my-org
commonName: service-a.default.svc.cluster.local
dnsNames:
- service-a.default.svc.cluster.local
issuerRef:
name: my-ca-issuer
kind: ClusterIssuer
EOF
``` ### Anwendungsfall 1: Sichere Ingress mit Let's Encrypt
``` bash
# Create DNS provider secret (example: Cloudflare)
create secret generic cloudflare-api-token \
--from-literal= api-token= YOUR_CLOUDFLARE_API_TOKEN
# Create ClusterIssuer with DNS-01 solver
apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-dns
solvers:
- dns01:
cloudflare:
email: admin@example.com
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
EOF
# Request wildcard certificate
apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-example
namespace: default
spec:
secretName: wildcard-example-tls
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- "*.example.com"
- example.com
EOF
# Monitor certificate issuance
get certificate wildcard-example -w
``` ### Anwendungsfall 2: Interner Service mTLS
``` bash
# Create certificate for webhook
apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: webhook-cert
namespace: webhook-system
spec:
secretName: webhook-server-cert
duration: 8760h
renewBefore: 720h
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
dnsNames:
- webhook-service.webhook-system.svc
- webhook-service.webhook-system.svc.cluster.local
EOF
# Reference in webhook configuration
apply -f - <<EOF
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: my-webhook
annotations:
cert-manager.io/inject-ca-from: webhook-system/webhook-cert
webhooks:
- name: webhook.example.com
clientConfig:
service:
name: webhook-service
namespace: webhook-system
path: "/validate"
caBundle: "" # Injected by cert-manager
EOF
``` ### Anwendungsfall 3: Wildcard-Zertifikat mit DNS-01
``` bash
# Create certificate with short duration for testing
apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: short-lived-cert
namespace: default
spec:
secretName: short-lived-tls
duration: 24h
renewBefore: 8h
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
dnsNames:
- test.example.com
EOF
# Monitor renewal
get certificate short-lived-cert -w
# Force immediate renewal
annotate certificate short-lived-cert \
cert-manager.io/issue-temporary-certificate= "true" \
--overwrite
# Check renewal history
get certificaterequest -l cert-manager.io/certificate-name= short-lived-cert
# Verify new certificate
inspect secret short-lived-tls
``` ### Anwendungsfall 4: Sichern von Kubernetes-Webhooks
` renewBefore` ### Anwendungsfall 5: Zertifikatsrotation und -erneuerung
` certmanager_certificate_expiration_timestamp_seconds`
**DNS-01 für Wildcards und interne Services verwenden**: DNS-01 Challenge ist erforderlich für Wildcard-Zertifikate und funktioniert besser für Services, die nicht im Internet exponiert sind
**Ordnungsgemäße RBAC implementieren**: Zugriff auf Issuers und Zertifikat-Secrets mit Kubernetes RBAC einschränken, um unbefugte Zertifikatserstellung zu verhindern
**Konfigurationen unter Versionskontrolle stellen**: Certificate und Issuer Manifeste in Git speichern, um Änderungen zu verfolgen und GitOps-Workflows zu ermöglichen
**Separate Issuers pro Umgebung verwenden**: Verschiedene Issuers für Entwicklungs-/Staging-/Produktionsumgebungen erstellen, um Zugangsdaten zu isolieren und umgebungsübergreifende Zertifikatsprobleme zu verhindern
**CA-Injektion für Webhooks aktivieren**: Annotation verwenden, um automatisch CA-Bundles in Webhook-Konfigurationen zu injizieren
` cert-manager.io/inject-ca-from`
**Plan for disaster recovery**: Backup CA private keys and ACME account credentials stored in Kubernetes secrets to external secure storage
## Troubleshooting
| Problem | Lösung |
| -------| ----------|
| **Certificate stuck in "Pending" ** | Check certificate request: ` kubectl describe certificaterequest <name>` . Look for ACME challenge failures or issuer configuration errors |
| **ACME HTTP-01 challenge failing** | Verify ingress is accessible: ` curl http://<domain>/.well-known/acme-challenge/test` . Check ingress class matches solver configuration |
| **DNS-01 challenge timeout** | Confirm DNS provider credentials: ` kubectl get secret <dns-secret> -o yaml` . Verify DNS propagation: ` dig TXT _acme-challenge.<domain>` |
| **"Too many certificates" rate limit** | Wechseln Sie zum Let' s Encrypt Staging-Server oder warten Sie 7 Tage. Überprüfen Sie die Ratenlimits: https://letsencrypt.org/docs/rate-limits/ |
| **Certificate not renewing automatically** | Check ` renewBefore` setting and cert-manager logs: ` kubectl logs -n cert-manager deployment/cert-manager` . Verify controller is running |
| **Webhook connection failures** | Verify webhook service is running: ` kubectl get svc -n cert-manager` . Check webhook certificate validity: ` cmctl check api` |
| **CA injection not working** | Ensure cainjector is running: ` kubectl get pods -n cert-manager` . Verify annotation syntax: ` cert-manager.io/inject-ca-from: namespace/certificate` |
| **Certificate shows "Ready=False" ** | Get detailed status: ` cmctl status certificate <name>` . Check events: ` kubectl get events --field-selector involvedObject.name= <cert-name>` |
| **Order stuck in "Pending" ** | Delete order to retry: ` kubectl delete order <order-name>` . Certificate controller will create new order automatically |
| **Secret not created after certificate ready** | Check secret name matches ` secretName` in Certificate spec. Verify namespace: ` kubectl get secret <name> -n <namespace>` |
| **Wildcard certificate validation fails** | Stellen Sie sicher, dass der DNS-01-Solver konfiguriert ist ( HTTP-01 unterstützt keine Wildcards) . Überprüfen Sie die Berechtigungen des DNS-Providers für die Erstellung von TXT-Einträgen |
| **Certificate shows wrong issuer** | Delete certificate request: ` kubectl delete certificaterequest <name>` . Update Certificate spec with correct ` issuerRef` |
| **High memory usage** | Reduce certificate count or increase resources: ` kubectl set resources deployment cert-manager -n cert-manager --limits= memory = 512Mi` |
| **Duplicate certificates created** | Check for multiple Certificate resources with same ` secretName` . Remove duplicates to prevent conflicts |
| **ACME account registration fails** | E-Mail-Format im Issuer-Spec überprüfen. ACME-Server-URL auf Korrektheit prüfen. Cert-manager-Logs für detaillierte Fehlermeldungen durchsehen |
### Debug Command Sequence
``` bash
# Complete troubleshooting workflow
describe certificate <cert-name>
get certificaterequest -l cert-manager.io/certificate-name= <cert-name>
describe certificaterequest <request-name>
get order
describe order <order-name>
get challenge
describe challenge <challenge-name>
logs -n cert-manager deployment/cert-manager --tail= 100
### Common Log Patterns
Note: It seems like some texts are missing or incomplete. I've translated what was provided, but texts 2, 3, and 4 appear to be incomplete or identical to the original.```bash
Search for specific certificate errors
kubectl logs -n cert-manager deployment/cert-manager | grep "certificate="
Find ACME challenge errors
kubectl logs -n cert-manager deployment/cert-manager | grep "challenge"
Check for rate limit errors
kubectl logs -n cert-manager deployment/cert-manager | grep "rate limit"
Monitor certificate renewal attempts
kubectl logs -n cert-manager deployment/cert-manager -f | grep "renewal"
```