cert-manager is the standard tool in the Kubernetes ecosystem for automatically provisioning and managing TLS certificates. cert-manager has a pluggable architecture allowing users to write their own external issuers (i.e. controllers that reconcile and sign CertificateRequests) while integrating with the rest of the cert-manager certificate management lifecycle (e.g. renewals):

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example
  namespace: example
spec:
  # Sign certificate using my external issuer
  issuerRef:
    group: example.com
    kind: ExampleIssuer
    name: example
  secretName: example-tls
  dnsNames:
    - example.com

This capability is incredibly powerful in an enterprise environment where many exceptional (and often extraordinary) requirements may exist that cannot be handled by cert-manager’s built-in issuers.

externalTrafficPolicy Local is a configuration option for Kubernetes Services that configures nodes to only forward external traffic to local Service endpoints, reducing latency and preserving the client source IP. The ins and outs of networking in GKE is my favourite video for understanding this configuration option.

This post describes how a workload exposed using a Service of type LoadBalancer with externalTrafficPolicy Local can be configured to avoid requests being dropped when performing a rolling update.