How We Solved TLS at Scale: Self-Service, Multi-Tenant Cert-manager - Erik Godding Boye & Tim Ramlot
Erik Godding Boye, Tim Ramlot
KubeCon + CloudNativeCon Europe 2025 · Session
This presentation by Erik Godding Boye and Tim Ramlot, both maintainers of the CNCF-graduated cert-manager project, delves into the intricate challenges and sophisticated solutions for managing **TLS certificates at scale** within a multi-tenant Kubernetes and OpenShift environment. Specifically, Erik shares his journey and the advanced setup he engineered for a critical client, Statnett, the Norwegian Transmission System Operator (TSO) responsible for Norway's power grid. The talk highlights how cert-manager, augmented by other ecosystem projects like trust-manager and approval-policy, can be leveraged to provide self-service certificate provisioning to independent teams while maintaining stringent security and policy enforcement.
AI review
This talk presents a meticulously detailed, battle-hardened solution for managing TLS certificates at an extreme scale within a multi-tenant, air-gapped critical infrastructure environment. The speakers, both cert-manager maintainers, provide a pragmatic journey from an initial, somewhat flawed implementation (V1) to a robust, policy-driven, and fully automated architecture (V2) leveraging cert-manager, trust-manager, approval-policy with a custom CEL integration, and HashiCorp Vault. The explicit acknowledgment of past mistakes and the deep dive into solving complex problems like…