Skip to content

cert-manager Quiz

Test your understanding of cert-manager and Kubernetes certificate management with the following questions.


Questions

1. What is cert-manager's project status in the CNCF?

  • A) Sandbox project
  • B) Incubating project
  • C) Graduated project
  • D) Archived project
Show Answer

Answer: C) Graduated project

Explanation: cert-manager achieved CNCF Graduated status in November 2022, making it one of the most mature and widely adopted certificate management solutions for Kubernetes. This status indicates the project has met rigorous requirements for governance, security, and community adoption.


2. Which component in cert-manager watches Certificate resources and triggers certificate issuance?

  • A) cainjector
  • B) webhook
  • C) controller
  • D) acmesolver
Show Answer

Answer: C) controller

Explanation: cert-manager consists of three core components:

  • controller: Watches Certificate resources, manages the certificate lifecycle, and triggers issuance/renewal
  • webhook: Validates and mutates cert-manager resources via admission webhooks
  • cainjector: Injects CA bundles into ValidatingWebhookConfiguration, MutatingWebhookConfiguration, and CRD conversion webhooks

3. What is the key difference between Issuer and ClusterIssuer resources?

  • A) Issuer supports more certificate types
  • B) ClusterIssuer is namespace-scoped while Issuer is cluster-scoped
  • C) Issuer is namespace-scoped while ClusterIssuer is cluster-scoped
  • D) ClusterIssuer only works with ACME
Show Answer

Answer: C) Issuer is namespace-scoped while ClusterIssuer is cluster-scoped

Explanation:

yaml
# Issuer - only issues certificates in its namespace
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: my-app  # Only works in this namespace

# ClusterIssuer - issues certificates across all namespaces
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod  # No namespace - cluster-wide

Use ClusterIssuer for organization-wide certificate policies, Issuer for namespace-specific configurations.


4. Which ACME challenge type supports wildcard certificate issuance?

  • A) HTTP-01
  • B) DNS-01
  • C) TLS-ALPN-01
  • D) Both HTTP-01 and DNS-01
Show Answer

Answer: B) DNS-01

Explanation: ACME challenge types and their capabilities:

  • HTTP-01: Proves domain control via HTTP endpoint (port 80). Does NOT support wildcards.
  • DNS-01: Proves domain control via DNS TXT records. Supports wildcard certificates (*.example.com).
  • TLS-ALPN-01: Proves domain control via TLS (port 443). Does NOT support wildcards.
yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
spec:
  acme:
    solvers:
    - dns01:
        route53:
          region: us-east-1
      selector:
        dnsNames:
        - "*.example.com"  # Wildcard requires DNS-01

5. In a Certificate resource, what does the secretName field specify?

  • A) The name of the Issuer secret
  • B) The Kubernetes Secret where the issued certificate will be stored
  • C) The CA certificate secret
  • D) The ACME account secret
Show Answer

Answer: B) The Kubernetes Secret where the issued certificate will be stored

Explanation: The secretName field specifies where cert-manager stores the issued certificate:

yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-app-tls
  namespace: my-app
spec:
  secretName: my-app-tls-cert  # Certificate stored here
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - my-app.example.com

The resulting Secret contains:

  • tls.crt: The certificate chain
  • tls.key: The private key
  • ca.crt: The CA certificate (if available)

6. What is the primary use case for the AWS Private CA Issuer?

  • A) Free public certificates
  • B) Internal PKI for private/enterprise certificates
  • C) DNS-01 challenge automation
  • D) Certificate revocation
Show Answer

Answer: B) Internal PKI for private/enterprise certificates

Explanation: AWS Private CA (PCA) Issuer integrates cert-manager with AWS Certificate Manager Private Certificate Authority:

yaml
apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAClusterIssuer
metadata:
  name: aws-pca-issuer
spec:
  arn: arn:aws:acm-pca:us-east-1:123456789:certificate-authority/abc-123
  region: us-east-1

Use cases:

  • Internal microservice mTLS
  • Enterprise PKI compliance requirements
  • Private certificates not exposed to public internet
  • Integration with existing AWS PCA infrastructure

7. What does trust-manager do in the cert-manager ecosystem?

  • A) Validates certificate signatures
  • B) Distributes CA bundles across namespaces as ConfigMaps or Secrets
  • C) Manages ACME account registration
  • D) Handles certificate revocation
Show Answer

Answer: B) Distributes CA bundles across namespaces as ConfigMaps or Secrets

Explanation: trust-manager is a cert-manager sub-project that distributes trusted CA certificates:

yaml
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: my-ca-bundle
spec:
  sources:
  - useDefaultCAs: true           # Include system CAs
  - secret:
      name: "internal-ca"
      key: "ca.crt"
  target:
    configMap:
      key: "ca-certificates.crt"
    namespaceSelector:
      matchLabels:
        trust-bundle: enabled     # Distribute to labeled namespaces

This ensures consistent CA trust across all application namespaces.


8. What does the renewBefore field control in a Certificate resource?

  • A) The minimum validity period
  • B) How long before expiry cert-manager begins renewal
  • C) The maximum renewal attempts
  • D) The renewal check interval
Show Answer

Answer: B) How long before expiry cert-manager begins renewal

Explanation: The renewBefore field specifies when cert-manager starts the renewal process:

yaml
apiVersion: cert-manager.io/v1
kind: Certificate
spec:
  secretName: my-cert
  duration: 2160h    # 90 days validity
  renewBefore: 360h  # Renew 15 days before expiry
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - example.com

With these settings:

  • Certificate valid for 90 days
  • Renewal begins at day 75 (90 - 15 = 75)
  • Provides buffer for renewal failures

9. What is the role of istio-csr in cert-manager's Istio integration?

  • A) Validates Istio configurations
  • B) Issues workload certificates for Istio service mesh using cert-manager
  • C) Manages Istio gateway certificates only
  • D) Synchronizes certificates between clusters
Show Answer

Answer: B) Issues workload certificates for Istio service mesh using cert-manager

Explanation: istio-csr replaces Istio's built-in CA (istiod) with cert-manager for workload identity:

yaml
# istio-csr issues certificates for:
# - Workload mTLS (pod-to-pod)
# - Service mesh identity (SPIFFE)

# Configuration example
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: istiod
  namespace: istio-system
spec:
  secretName: istiod-tls
  issuerRef:
    name: istio-ca
    kind: ClusterIssuer
  isCA: true

Benefits:

  • Centralized PKI management
  • Consistent certificate policies across mesh and ingress
  • Integration with external CAs (Vault, AWS PCA)

10. What is a key difference between cert-manager and AWS Certificate Manager (ACM)?

  • A) ACM supports more issuers
  • B) cert-manager can only run on EKS
  • C) cert-manager provides certificates as Kubernetes Secrets, ACM stores them in AWS
  • D) ACM supports more certificate types
Show Answer

Answer: C) cert-manager provides certificates as Kubernetes Secrets, ACM stores them in AWS

Explanation: cert-manager vs AWS ACM comparison:

Featurecert-managerAWS ACM
StorageKubernetes SecretsAWS-managed
Private Key AccessYes (in Secret)No (AWS-only)
Use with PodsDirect mountingNot possible
Ingress IntegrationAny ingress controllerALB/NLB only
Multi-cloudYesAWS only
IssuersACME, Vault, PCA, self-signedAmazon, PCA

Use cert-manager when you need:

  • Certificates inside pods
  • Multi-cloud portability
  • Custom issuers
  • Fine-grained control over private keys

Score Calculation

  • 9-10 correct: Excellent - You have a deep understanding of cert-manager.
  • 7-8 correct: Good - You have a solid grasp of the key concepts.
  • 5-6 correct: Fair - There are areas that need additional study.
  • 4 or fewer: Please review the documentation again.