All posts
September 8, 20252 min read

Zero-Downtime SSL Certificate Rotation in Kubernetes Ingress

Kubernetes Ingress looked fine at first glance, but the truth was brutal: the cluster was serving an invalid certificate, browsers were throwing errors, and API clients were failing silently. The cause was simple and common—certificate rotation had not kept up with the pace of expiration. The fix can be simple too, but only if you understand how certificate rotation works in Kubernetes Ingress and set it up for zero downtime. Why Certificate Rotation Fails An Ingress in Kubernetes routes exte

Free White Paper

Zero Trust Architecture + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Kubernetes Ingress looked fine at first glance, but the truth was brutal: the cluster was serving an invalid certificate, browsers were throwing errors, and API clients were failing silently. The cause was simple and common—certificate rotation had not kept up with the pace of expiration. The fix can be simple too, but only if you understand how certificate rotation works in Kubernetes Ingress and set it up for zero downtime.

Why Certificate Rotation Fails

An Ingress in Kubernetes routes external traffic into your cluster using rules and a controller like NGINX, HAProxy, or Traefik. SSL/TLS certificates for that Ingress can come from multiple sources: static secrets, CI pipelines, or automated issuers like cert-manager with Let’s Encrypt. Rotation breaks when:

  • The new certificate secret is in place but never mounted by the controller.
  • The certificate is rotated in Kubernetes but the Ingress controller doesn’t reload.
  • External automation renews the certificate but skips updating the cluster.

Automating Renewal With Cert-Manager

Cert-manager integrates directly with Kubernetes Ingress resources. It can request, renew, and update TLS certificates from Let’s Encrypt or other issuers without manual work. The key points for reliable rotation:

Continue reading? Get the full guide.

Zero Trust Architecture + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Use a Certificate resource tied to the Ingress hostnames.
  • Monitor expiry with Prometheus or built-in cert-manager alerts.
  • Ensure Ingress annotations map correctly to the cert-manager ClusterIssuer or Issuer.
  • Validate controller reload behavior after secret updates.

Hot Reload Without Downtime

A healthy certificate rotation is not just about renewal—it’s about serving the new certificate immediately. Test that your Ingress controller supports hot reloads without dropping connections. Enable dynamic config reload if available. If the controller lacks this, schedule brief rolling restarts aligned with certificate updates.

Security and Compliance Benefits

Automated rotation closes the window for expired certificate outages and shortens exposure if a key leak happens. Short-lived certificates are no longer a burden when rotation is painless. This strengthens compliance with internal security baselines and external standards.

End-to-End Testing

Many teams rotate certificates in staging but miss production-specific behaviors. Test rotation end-to-end in an environment that mirrors your live cluster. Validate expiry alerts, renewal triggers, and controller reload paths in real traffic scenarios.

Certificate rotation in Kubernetes Ingress is not just a maintenance task—it’s a guarantee that your entrypoint to the cluster is always trusted. The faster you can see it working, the faster you can trust it. See it live in minutes on hoop.dev.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts