🔐 Sealing the Deal: Automating PKI in Kubernetes with OpenBao and Cert-Manager
A.J. Geddes
DevSecOps Enthusiast | AI Operations Engineer | Simplifying Tech | Author ✌️
In a modern Kubernetes environment, the days of managing TLS certificates manually are numbered — quite literally.
As of 2029, public TLS certificates will have their maximum validity period reduced to just 47 days (source).
This move, driven by the CA/Browser Forum, means we can no longer rely on inbox reminders or calendar invites to handle cert renewal. We need automated systems that are resilient, scalable, and developer-friendly.
Fortunately, that’s exactly what we get by combining:
OpenBao — a powerful, open-source secret management platform
cert-manager — the Kubernetes-native certificate lifecycle manager
Cloudflare DNS — as our external validation and issuance provider
Together, they enable a secure and automated PKI (Public Key Infrastructure) lifecycle — for both internal mTLS and public HTTPS endpoints — built on cloud-native principles.
🧱 OpenBao: Vault’s Open-Source Evolution
OpenBao is the community-driven fork of HashiCorp Vault, retaining all the features that matter:
Secret storage and encryption APIs
Short-lived token and certificate issuance
PKI engines for internal CAs
OIDC and policy-based access control
Auto-unseal via cloud KMS (Azure Key Vault, AWS KMS, GCP KMS)
In Kubernetes, OpenBao can be deployed with Helm and scaled horizontally. For internal workloads, it becomes your internal CA, issuing certs for services, pods, or ingress routes with tight TTL and revocation policies.
⚙️ Cert-Manager: Kubernetes’ Certificate Automation Engine
cert-manager integrates tightly with Kubernetes and enables:
Declarative certificate requests (via Certificate resources)
Automated issuance, renewal, and revocation
Pluggable backends, including:
Its job is simple: keep your secrets up to date and valid. Behind the scenes, cert-manager solves the complexity of:
DNS validation (ACME challenges)
Certificate lifetimes and renewals
Storing issued certs as Kubernetes Secrets
📡 Why Cloudflare DNS Matters Now
Here’s the problem: You can’t scale HTTPS certs with manual validation anymore. And with 47-day limits becoming the new standard, the only sustainable option is automated DNS-based ACME challenges.
Cloudflare’s API + cert-manager’s dns01 solver gives us that.
This lets cert-manager prove domain ownership and renew certs without human intervention — no emails, no downtime, no surprises.
🔄 The Full Picture: Automated PKI Lifecycle
Here’s how these tools work together:
🔒 Internal Certs with OpenBao
OpenBao runs the PKI engine
cert-manager is configured with a VaultIssuer to request internal certs
Pods and services define Certificate specs
mTLS across workloads becomes automatic and ephemeral
🌐 Public Certs with Cloudflare
cert-manager is configured with a ClusterIssuer for ACME DNS-01
Cloudflare API credentials are stored securely
Domains like *.yourcompany.app are validated via DNS
Certificates are automatically issued, stored, and renewed
Example: ClusterIssuer using Cloudflare
Example: Public Certificate Using Cloudflare
💥 That’s it. The cert is issued, stored as a Kubernetes secret, and auto-renewed every month — no tickets required.
🛡️ GitOps, Auditing, and Security
This PKI setup gets even more powerful when combined with GitOps tools like ArgoCD or Flux:
Your Issuer and Certificate specs live in Git
Secrets are generated and mounted as needed
Cert rotations are visible in your GitOps pipeline
OpenBao logs all access and activity for full audit compliance
You can also:
Set cert TTLs to hours or days
Use Cloudflare’s RBAC and API tokens for fine-grained control
Define revocation endpoints or rotation policies in OpenBao
🧠 Final Thoughts
The future of PKI is not 1-year certs and Excel trackers — it’s short-lived, auto-issued, policy-controlled TLS.
🔐 OpenBao gives you internal trust
⚙️ Cert-manager gives you lifecycle automation
🌐 Cloudflare gives you secure, scalable external validation
Together, they make PKI part of your platform — not a problem for your team.