Why cert-manager instead of Certbot?

I’m learning kubernetes and I have a cluster which needs certs. I see various projects for this, and I’m wondering why I might use either cert-manager or kube-cert-manager over using the Certbot image directly.

Bump. Seems like a simple question, is there something wrong with it? I would think that the Certbot image is a more ideal solution since it’s containerized and officially supported by Let’s Encrypt. Are the alternatives more lightweight? Is there a tradeoff in the feature set? I’m not that educated on networking and crypto, so a little help here would be much appreciated.

Hi @rm-rf-etc,

Unfortunately I don’t have any Kubernetes experience so my answers aren’t likely very helpful :slight_smile: I suspect that the answer is that cert-manager and kube-cert-manager are more Kubernetes focused and probably offer a tighter integration than Certbot. I’m sure its possible to use Certbot in this context but Certbot is definitely a more general purpose ACME client than either kube-cert-manager or cert-manager and caters to use-cases you wouldn’t care about (standalone mode, nginx/apache plugins, etc).

Since there hasn’t been much uptake on your thread here it might make sense to open an issue with either kube-cert-manager or cert-manager to ask the developers of that software for their perspective on this question. They likely have more Kubernetes context to apply to the topic.

Hope that helps!


The main difference is that the kubernetes clients store the certificates and private keys as k8s secrets, whereas the certbot container will store the certificate and private keys in a volume.

Secrets have a few security advantages, and they’re still exposed to your containers as read-only volumes so they aren’t really any harder to use than a volume populated by certbot.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.