Kubernetes Certificate Rotation

While Kubernetes has a built-in CertManager for getting new certificate, it's quite common to miss the deadline on expiring certificates, leading to catastrophic outages.

Most Popular

The problem

Kubernetes has some magic sauce to automatically renew certificates before they expire. The built-in CertManager is a great tool for getting new certificates.  But are certificates renewed in time?  Did we discover a certificate expiring soon and renew it in time?

It’s easy for a certificate to slip through the cracks.  Once the cert expires, the system is offline with a really unfriendly message for users.  Suddenly our site looks unsafe.

It’s often at this point when a customer calls to complain that we realize a certificate expired again.  Then we build a big, manual process to ensure it never happens again.  But sure enough, a month or two later, it happens again.

The solution

This Shoreline automation scans the cluster for certificates generated by CertManager and stored in k8s secrets or pod definitions. When a certificate is expiring soon (a configurable timeframe), the Shoreline automation calls k8s’s CertManager to renew the certificate. You’ll almost forget about certificate expiry with Shoreline’s certificate management Op Pack.


Customer experience impact
Total outage
Occurrence frequency
Every 90 days
Shoreline time to repair
1-2 minutes
Time to diagnose manually
Cost impact
Time to repair manually
1-2 manual hours

Related Solutions