Cert-manager ⚓️

Overview

Cert manager is a popular Kubernetes add-on used to automate the issuance and renewal of certificates. Komodor integrates cert-manager for seamless certificate management., it aims to enhance reliability by ensuring certificates are always up-to-date, minimizing the risk of service disruptions due to expired or invalid certificates. The integration provides visibility into certificate health, allowing you to track, manage, and debug certificate-related issues across multiple clusters.

Key capabilities

• Cross-cluster support: Manage certificates across multiple clusters from a single interface.
• Comprehensive filtering: filter certificates by cluster, namespace, issuer, and status.
• Automated alerts: receive alerts for expiring, expired, or failed certificates.
• Detailed certificate status: View related resources such as the issuer, certificate requests, challenges, and associated workloads.
• Using Komodor AI for root cause analysis: Leverage Komodor AI (Klaudia) to help debug issues by analyzing logs and related resources.

How it works:

Under Kubernetes Add-ons → Cert-manager in the left-side navigation bar, Komodor provides a unified dashboard to view all certificates managed by cert-manager across your clusters. The dashboard includes:

• A summary aggregating the total number of certificates, including the count of expired and expiring ones.
• Quick filters to narrow down the view based on the certificate you are interested in.
• A list of certificates and controllers, allowing you to dive deeper for more information.

Certificate Details

Clicking on a certificate opens a detailed view with the following information:

• Issuer/ClusterIssuer: The authority responsible for signing the certificate.
• Certificate Requests: Details on the certificate request process.
• Challenges: If relevant, information on any ACME (Automatic Certificate Management Environment) challenges associated with the certificate.
• Associated Workload: Details on the Kubernetes resources that rely on this certificate.
• Expiration and Renewal Time: Clear indicators of when the certificate will expire and when the next renewal attempt will occur.
• Komodor AI-powered root cause analysis: Automatic detection of certificate issues and suggestions for fixing them, based on related controller logs.

Reliability Risks

Certificates that are expiring soon, have expired, or have failed renewal will automatically generate reliability violations in Komodor. These violations are created within the “Add-ons risks” impact group, and are prioritized by severity based on expiration timelines:

• High: Certificate has already expired or will expire within 3 days.
• Medium: Certificate will expire within 7 days.
• Low: Certificate will expire within 14 days.

Those thresholds are configurable through our Reliability Policies. 

Each violation includes:

• Which services are affected.
• Details on the certificate status, specifically the errors if exist. 
• Actionable insights to resolve the issue.

Use Cases

1. Monitoring certificate health: use the cert-manager dashboard to gain insight into all certificates across your clusters. Identify certificates that are close to expiring or have already expired.
2. Debugging certificate failures: use the root cause analysis and related resource views to quickly identify the cause of certificate renewal failures, such as failed ACME challenges or misconfigured cert-manager settings.
3. Proactive alerts: set up alerts to notify you when certificates are about to expire or have failed renewal, preventing service disruptions.

Debugging and Resolution

Komodor makes it easy to debug certificate issues by:

• Exposing relevant cert-manager logs for each certificate.
• Analyzing certificate-related resources such as certificate requests, challenges, and issuers.
• Providing recommendations and actionable steps as part of the reliability violations for resolving certificate failures.

API Integration

Coming soon - Komodor exposes an API for fetching certificate summary data, allowing users to integrate certificate health status into their internal tools and dashboards. This helps developers and operators maintain visibility over certificate validity and act before issues arise.