It's been about a year since I introduced my certificate manager: KCert. For my specific needs KCert was a great improvement over the ubiquitous cert-manager. You can read about the differences/advantages in the project's README. However, I did not take the time to review the design to make it more generally useful.
This month I finally got around to revisiting KCert. I have redesigned several aspects of the tool, and I think what I have now is much more refined, simplified, and easy to use.
The changes I've made are:
Get Started Fast
A basic installation of KCert is now super fast.
You should be able to get started in a matter of minutes.
Just edit three lines of the provided deploy.yml
file and use kubectl apply
to deploy it to your cluster.
You can now start creating ingresses and KCert will issue the needed certificates.
It's that simple!
Less Reliance on a UI
Before the refactor, setting up KCert required entering your initial settings via the web UI. I came to the conclusion that this is not consistent with how Kubernetes is usually managed. Everything is now configured in the more standard "config as code" approach.
The web UI still exists, but it is mostly now a read-only view of the tool's status. The only actions you can take in there are sending a test email and manually renewing certificates (and I'm considering removing that second feature).
Watching for Ingress Changes
Before this release, certificates were created in the web UI with a browser-based form. The secret name and hosts are entered and KCert creates a Kubernetes secret based on that information. That is all gone now.
Instead, KCert now watches for changes to ingresses marked with the kcert.dev/ingress=managed
label.
Whenever a change occurs, KCert will check if it needs to issue new certificates accordingly.
KCert supports issuing multi-host (but not wildcard) certificates.
If multiple TLS definition exist across different Ingress definitions,
a single certificate will be created for all referenced hosts.
Conclusion
This project has been dormant for a while, but I'm really excited about this latest update. I think it's finally in a state that should make it useful to many people.
So give it a try!