Skip to main content
The cw-agent-certmanager automatically discovers and monitors all certificates managed by cert-manager in your Kubernetes cluster.

Why Monitor cert-manager Certificates?

Automatic Discovery

No manual configuration. Watches all Certificate CRDs across namespaces.

Renewal Tracking

Track renewal status and get alerts before certificates expire.

Issuer Visibility

See which ClusterIssuer or Issuer manages each certificate.

Centralized Dashboard

View all cluster certificates alongside network-scanned certificates.

How It Works

The agent:
  1. Watches Certificate custom resources using the Kubernetes API
  2. Extracts certificate metadata (expiry, issuer, status)
  3. Syncs to CertWatch cloud every 30 seconds (configurable)
  4. Detects renewals and status changes in real-time

Prerequisites

  • Kubernetes 1.19+
  • Helm 3.8+
  • cert-manager v1.0+ installed
  • CertWatch API key with cloud:sync scope

Installation

Step 1: Create API Key Secret

kubectl create secret generic cw-api-key \
  --from-literal=api-key=cw_your_key_here

Step 2: Install the Helm Chart

helm install cw-certmanager oci://ghcr.io/certwatch-app/helm-charts/cw-agent-certmanager \
  --set agent.name=my-cluster \
  --set agent.clusterName="Production K8s" \
  --set apiKey.existingSecret.name=cw-api-key

Step 3: Verify

kubectl get pods -l app.kubernetes.io/name=cw-agent-certmanager
kubectl logs -l app.kubernetes.io/name=cw-agent-certmanager -f

Configuration

Full Values Example

agent:
  name: production-certmanager
  clusterName: "Production Cluster"
  logLevel: info
  metricsPort: 9402
  healthPort: 9403
  syncInterval: "30s"
  heartbeatInterval: "30s"
  watchAllNamespaces: true
  # namespaces:
  #   - production
  #   - staging

apiKey:
  existingSecret:
    name: cw-api-key
    key: api-key

serviceMonitor:
  enabled: true
  labels:
    release: prometheus

resources:
  limits:
    cpu: 200m
    memory: 128Mi
  requests:
    cpu: 50m
    memory: 64Mi

Configuration Reference

ParameterDefaultDescription
agent.name""Required. Unique agent identifier
agent.clusterNameagent.nameFriendly name shown in dashboard
agent.watchAllNamespacestrueMonitor certificates in all namespaces
agent.namespaces[]Specific namespaces (when not watching all)
agent.syncInterval30sHow often to sync with CertWatch cloud
agent.metricsPort9402Prometheus metrics endpoint
agent.healthPort9403Health check endpoint

Namespace Filtering

Watch All Namespaces (Default)

agent:
  watchAllNamespaces: true

Watch Specific Namespaces

agent:
  watchAllNamespaces: false
  namespaces:
    - production
    - staging
    - cert-manager  # To see cert-manager's own certs

What Gets Synced

For each cert-manager Certificate, the agent syncs:
FieldSource
HostnameCertificate spec.dnsNames[0]
ExpirySecret’s certificate notAfter
IssuerCertificate spec.issuerRef
StatusCertificate status.conditions
NamespaceCertificate metadata.namespace
Renewal TimeCertificate status.renewalTime

RBAC Permissions

The Helm chart creates a ClusterRole with these permissions: 
- apiGroups: ["cert-manager.io"]
  resources: ["certificates", "certificaterequests"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]

Troubleshooting

Agent Not Discovering Certificates

# Check agent logs
kubectl logs -l app.kubernetes.io/name=cw-agent-certmanager

# Verify RBAC
kubectl auth can-i list certificates.cert-manager.io \
  --as=system:serviceaccount:default:cw-agent-certmanager

# List certificates the agent should see
kubectl get certificates --all-namespaces

Certificates Not Appearing in Dashboard

  1. Verify agent is connected (check heartbeat in dashboard)
  2. Check sync interval hasn’t been set too high
  3. Confirm API key has cloud:sync scope

Full Kubernetes Guide

See deployment options including GitOps, ServiceMonitor, and cw-stack umbrella chart.