Cert Manager

Using cert-manager with Akeyless Certificate Automation

You can have cert-manager deployed in a cluster and use Akeyless Certificate Automation to generate certificates.

To do so, you first need to install cert-manager custom resource definitions for your cluster to support using cert-manager.

Once cert-manager is installed and running in your K8s cluster, you’ll need to create the following three K8s objects to work with the producer:

Secret - The credentials to your Akeyless account.

Issuer - The name of your Certificate Automation producer.

Certificate(s) - Certificates created based on your previously created Issuer.


The following Authentication Methods are supported:

The Secret object allows cert-manager to connect to Akeyless:

apiVersion: v1
kind: Secret
type: Opaque
  name: my-secret
  token: "cC04Y2l0eelfkjsfijlskjfklsflfskdfjlkfkzRVk9"

The token in the Secret object is expected to be a base64 encoding of an API KEY used to access Akeyless in the following format:

access_id..acces_key | base64
# e.g
echo p-ab1234567890..abc************xyz | base64 -w 0 # => cC1hYjEyMzQ1Njc4OTAuLmFiYyoqKioqKioqKioqKnh5ego=



The API Key token should be a concatenation of your access_id and your access_key with double dots as a delimiter.

Make sure this Authentication method is set with the appropriate RBAC in Akeyless, to grant access to your dynamic secret.
The path in the yaml should always start with the prefix pki/sign/ prior to the item path in Akeyless

The Issuer object is what allows cert-manager call Akeyless with the appropriate producer.

apiVersion: cert-manager.io/v1
kind: Issuer
  name: my-issuer
    path: pki/sign/my-cert-automation-producer
    server: http://my-akeyless-gw.example.company.com:8200
          name: my-secret
          key: token

The my-cert-automation-producer under the Path field is the name of the producer in Akeyless (it can also be a full path, where the producer is inside a folder, i.e., folder/my-cert-automation-producer).

The Server key holds the target Akeyless GW in your local environment where the Certificate Automation producer has been created, port 8200 is required.

The tokenSecretRef key is a reference to the previously created secret for credentials.

Now that these 2 have been created you can start issuing certificate requests to Akeyless.
The Certificate object is a certificate request to send to Akeyless.

apiVersion: cert-manager.io/v1
kind: Certificate
  name: my-certificate
  commonName: cert-man.example.company.com
    - cert-man.example.company.com
  secretName: secret-my-certificate
    name: my-issuer

The keys are cert-manager related and there are no special keys required by Akeyless at this point. For more information see here.

When finished, validate your Certificate has been issued via kubectl get my-certificate

$ kubectl get my-certificate
NAME             READY   SECRET                  AGE
my-certificate   True    secret-my-certificate   1m

Your certificate information can be found at secret-my-certificate.