cert-manager Quiz
Test your understanding of cert-manager and Kubernetes certificate management with the following questions.
Questions
1. What is cert-manager's project status in the CNCF?
- A) Sandbox project
- B) Incubating project
- C) Graduated project
- D) Archived project
Show Answer
Answer: C) Graduated project
Explanation: cert-manager achieved CNCF Graduated status in November 2022, making it one of the most mature and widely adopted certificate management solutions for Kubernetes. This status indicates the project has met rigorous requirements for governance, security, and community adoption.
2. Which component in cert-manager watches Certificate resources and triggers certificate issuance?
- A) cainjector
- B) webhook
- C) controller
- D) acmesolver
Show Answer
Answer: C) controller
Explanation: cert-manager consists of three core components:
- controller: Watches Certificate resources, manages the certificate lifecycle, and triggers issuance/renewal
- webhook: Validates and mutates cert-manager resources via admission webhooks
- cainjector: Injects CA bundles into ValidatingWebhookConfiguration, MutatingWebhookConfiguration, and CRD conversion webhooks
3. What is the key difference between Issuer and ClusterIssuer resources?
- A) Issuer supports more certificate types
- B) ClusterIssuer is namespace-scoped while Issuer is cluster-scoped
- C) Issuer is namespace-scoped while ClusterIssuer is cluster-scoped
- D) ClusterIssuer only works with ACME
Show Answer
Answer: C) Issuer is namespace-scoped while ClusterIssuer is cluster-scoped
Explanation:
# Issuer - only issues certificates in its namespace
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: my-app # Only works in this namespace
# ClusterIssuer - issues certificates across all namespaces
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod # No namespace - cluster-wideUse ClusterIssuer for organization-wide certificate policies, Issuer for namespace-specific configurations.
4. Which ACME challenge type supports wildcard certificate issuance?
- A) HTTP-01
- B) DNS-01
- C) TLS-ALPN-01
- D) Both HTTP-01 and DNS-01
Show Answer
Answer: B) DNS-01
Explanation: ACME challenge types and their capabilities:
- HTTP-01: Proves domain control via HTTP endpoint (port 80). Does NOT support wildcards.
- DNS-01: Proves domain control via DNS TXT records. Supports wildcard certificates (*.example.com).
- TLS-ALPN-01: Proves domain control via TLS (port 443). Does NOT support wildcards.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
spec:
acme:
solvers:
- dns01:
route53:
region: us-east-1
selector:
dnsNames:
- "*.example.com" # Wildcard requires DNS-015. In a Certificate resource, what does the secretName field specify?
- A) The name of the Issuer secret
- B) The Kubernetes Secret where the issued certificate will be stored
- C) The CA certificate secret
- D) The ACME account secret
Show Answer
Answer: B) The Kubernetes Secret where the issued certificate will be stored
Explanation: The secretName field specifies where cert-manager stores the issued certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-app-tls
namespace: my-app
spec:
secretName: my-app-tls-cert # Certificate stored here
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- my-app.example.comThe resulting Secret contains:
tls.crt: The certificate chaintls.key: The private keyca.crt: The CA certificate (if available)
6. What is the primary use case for the AWS Private CA Issuer?
- A) Free public certificates
- B) Internal PKI for private/enterprise certificates
- C) DNS-01 challenge automation
- D) Certificate revocation
Show Answer
Answer: B) Internal PKI for private/enterprise certificates
Explanation: AWS Private CA (PCA) Issuer integrates cert-manager with AWS Certificate Manager Private Certificate Authority:
apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAClusterIssuer
metadata:
name: aws-pca-issuer
spec:
arn: arn:aws:acm-pca:us-east-1:123456789:certificate-authority/abc-123
region: us-east-1Use cases:
- Internal microservice mTLS
- Enterprise PKI compliance requirements
- Private certificates not exposed to public internet
- Integration with existing AWS PCA infrastructure
7. What does trust-manager do in the cert-manager ecosystem?
- A) Validates certificate signatures
- B) Distributes CA bundles across namespaces as ConfigMaps or Secrets
- C) Manages ACME account registration
- D) Handles certificate revocation
Show Answer
Answer: B) Distributes CA bundles across namespaces as ConfigMaps or Secrets
Explanation: trust-manager is a cert-manager sub-project that distributes trusted CA certificates:
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: my-ca-bundle
spec:
sources:
- useDefaultCAs: true # Include system CAs
- secret:
name: "internal-ca"
key: "ca.crt"
target:
configMap:
key: "ca-certificates.crt"
namespaceSelector:
matchLabels:
trust-bundle: enabled # Distribute to labeled namespacesThis ensures consistent CA trust across all application namespaces.
8. What does the renewBefore field control in a Certificate resource?
- A) The minimum validity period
- B) How long before expiry cert-manager begins renewal
- C) The maximum renewal attempts
- D) The renewal check interval
Show Answer
Answer: B) How long before expiry cert-manager begins renewal
Explanation: The renewBefore field specifies when cert-manager starts the renewal process:
apiVersion: cert-manager.io/v1
kind: Certificate
spec:
secretName: my-cert
duration: 2160h # 90 days validity
renewBefore: 360h # Renew 15 days before expiry
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.comWith these settings:
- Certificate valid for 90 days
- Renewal begins at day 75 (90 - 15 = 75)
- Provides buffer for renewal failures
9. What is the role of istio-csr in cert-manager's Istio integration?
- A) Validates Istio configurations
- B) Issues workload certificates for Istio service mesh using cert-manager
- C) Manages Istio gateway certificates only
- D) Synchronizes certificates between clusters
Show Answer
Answer: B) Issues workload certificates for Istio service mesh using cert-manager
Explanation: istio-csr replaces Istio's built-in CA (istiod) with cert-manager for workload identity:
# istio-csr issues certificates for:
# - Workload mTLS (pod-to-pod)
# - Service mesh identity (SPIFFE)
# Configuration example
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: istiod
namespace: istio-system
spec:
secretName: istiod-tls
issuerRef:
name: istio-ca
kind: ClusterIssuer
isCA: trueBenefits:
- Centralized PKI management
- Consistent certificate policies across mesh and ingress
- Integration with external CAs (Vault, AWS PCA)
10. What is a key difference between cert-manager and AWS Certificate Manager (ACM)?
- A) ACM supports more issuers
- B) cert-manager can only run on EKS
- C) cert-manager provides certificates as Kubernetes Secrets, ACM stores them in AWS
- D) ACM supports more certificate types
Show Answer
Answer: C) cert-manager provides certificates as Kubernetes Secrets, ACM stores them in AWS
Explanation: cert-manager vs AWS ACM comparison:
| Feature | cert-manager | AWS ACM |
|---|---|---|
| Storage | Kubernetes Secrets | AWS-managed |
| Private Key Access | Yes (in Secret) | No (AWS-only) |
| Use with Pods | Direct mounting | Not possible |
| Ingress Integration | Any ingress controller | ALB/NLB only |
| Multi-cloud | Yes | AWS only |
| Issuers | ACME, Vault, PCA, self-signed | Amazon, PCA |
Use cert-manager when you need:
- Certificates inside pods
- Multi-cloud portability
- Custom issuers
- Fine-grained control over private keys
Score Calculation
- 9-10 correct: Excellent - You have a deep understanding of cert-manager.
- 7-8 correct: Good - You have a solid grasp of the key concepts.
- 5-6 correct: Fair - There are areas that need additional study.
- 4 or fewer: Please review the documentation again.