The Cloud Native Computing Foundation (CNCF), which builds sustainable ecosystems for cloud native software, has announced the graduation of cert-manager.
cert-manager helps cloud native developers automate Transport Layer Security (TLS) and Mutual Transport Layer Security (mTLS) certificate issuance and renewal. It ensures secure communication within distributed systems by automating and simplifying the issuance, renewal, and lifecycle management of X.509 certificates in Kubernetes platforms. This eliminates the manual process of generating and managing certificates and helps ensure systems remain secure without constant manual intervention.
“By making it easier for developers to obtain, manage, and automate security certificates, cert-manager helps ensure applications remain secure throughout their lifecycles, making the ecosystem more secure as a whole,” said Chris Aniszczyk, CTO, CNCF. “We’re thrilled to see the project reach this milestone and look forward to it continuing to improve the cloud native security space.”
cert-manager was created in 2017 at Jetstack, which is now a part of Venafi, a CyberArk company. It was accepted into the CNCF Sandbox in November 2020, and, over the past four years, has continued to grow, bringing in new maintainers, expanding its user base, and adding key features in response to community needs. It has built a network of more than 450 contributors and issued more than 200 releases. It moved to the Incubating maturity level in 2022 and today plays a vital role in the CNCF ecosystem by integrating with other projects like Kubernetes, SPIFFE, Istio, Prometheus, and Envoy to strengthen cloud native infrastructure security across diverse environments.
The project is now seeing 500 million downloads per month, and user research suggests 86 percent of new production clusters are created with cert-manager deployed as standard practice to manage the issuance and renewal of TLS and mTLS certificates. It has subprojects to help with a variety of tasks, including secretless issuance, trust store management, and certificate policy enforcement. It has also extended support for external issuers such as AWS Private CA, Google CAS, and HashiCorp Vault while integrating with service meshes to enhance security across cloud native environments.
To officially graduate from incubating status, the project completed a CNCF-sponsored security audit, revamped its governance documentation creating a path for contributors to become full maintainers, worked with TAG Security and TAG Contributor Strategy to review security and community posture, and migrated testing and release processes to CNCF-owned infrastructure.






