Nabeel Sulieman

KCert: Try it Out


Last month I wrote about a tool I've been using in my cluster to manager Let's Encrypt certificates. For me, building this tool has been a fantastic learning experience, and as the author of the tool I am extremely pleased with the result. I doubt I will ever go back to using cer-manager.

Today I would like to announce that KCert is stable enough for broader usage. I would love for people to try it out, submit feedback, and help me turn this into a tool that is useful to more people than just myself.

What is KCert?

KCert is meant to replace cert-manager in your Kubernetes cluster. It offers a simple alternative to the complex system that is cert-manager. Instead of thousands of lines of yaml, multiple services and custom resource types, KCert runs as a simple, single-instance service in your cluster. It will automatically renew certs before they expire and can send you email notifications of actions taken. It also has a web UI for manual configuration and management.

How Reliable is the Tool?

I've been running KCert in my own cluster since December. Over the past few months, I've been tweaking the UI and reorganizing the way the tool works to make it as simple as possible. Of course, as the author of the tool I am biased and my experience is not the same as a new user. I've very keen to see if other people will be as excited about this tool as I am.

What If I Have Trouble Using KCert?

If you have any issues or questions using KCert, please submit your question or feature request in GitHub.

Potential Caveats

This tool works great for me in my cluster and environment. However, as a side-project, I've only been working on it part time. This is not a perfectly polished, production-grade tool. There are no automated tests and I've only tested it in my own cluster with the following setup:

  • Kubernetes 1.19.3 on Digital Ocean
  • Standard nginx ingress controller

I suspect that folks with different configurations will encounter bugs. If you take the time to describe the issues you face, I will happily try to resolve them. Specifically, as requests come in, I expect to expand KCert to support:

  • Other types of Ingress controllers (HAProxy, Traefik, Kong, etc.)
  • Other architectures such as ARM for Raspberry Pi

Getting Started

Trying out KCert is extremely simple and low-risk. Simply apply the deploy.yml file to your cluster. Unlike cert-manager, the file is less than 100 lines and should be easy to follow and understand.

deploy.yml will create a few resources in a new namespace called kcert, as well as a global ClusterRole and ClusterRoleBinding for accessing TLS certs. Deleting KCert is as simple is deleting those resources.

Please let me know how it goes!