Why cert-manager instead of Certbot?


#1

I’m learning kubernetes and I have a cluster which needs certs. I see various projects for this, and I’m wondering why I might use either cert-manager or kube-cert-manager over using the Certbot image directly.


#2

Bump. Seems like a simple question, is there something wrong with it? I would think that the Certbot image is a more ideal solution since it’s containerized and officially supported by Let’s Encrypt. Are the alternatives more lightweight? Is there a tradeoff in the feature set? I’m not that educated on networking and crypto, so a little help here would be much appreciated.


#3

Hi @rm-rf-etc,

Unfortunately I don’t have any Kubernetes experience so my answers aren’t likely very helpful :slight_smile: I suspect that the answer is that cert-manager and kube-cert-manager are more Kubernetes focused and probably offer a tighter integration than Certbot. I’m sure its possible to use Certbot in this context but Certbot is definitely a more general purpose ACME client than either kube-cert-manager or cert-manager and caters to use-cases you wouldn’t care about (standalone mode, nginx/apache plugins, etc).

Since there hasn’t been much uptake on your thread here it might make sense to open an issue with either kube-cert-manager or cert-manager to ask the developers of that software for their perspective on this question. They likely have more Kubernetes context to apply to the topic.

Hope that helps!


#4

The main difference is that the kubernetes clients store the certificates and private keys as k8s secrets, whereas the certbot container will store the certificate and private keys in a volume.

Secrets have a few security advantages, and they’re still exposed to your containers as read-only volumes so they aren’t really any harder to use than a volume populated by certbot.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.