Weekly cadence
Runs every Monday, or on demand before a planned maintenance window.
Recurring operations work
Every cert-manager certificate expiring in the next 30 days, grouped by owner
Hyground reads every cert-manager Certificate object across every cluster, groups them by namespace and service owner, and produces a single email-ready renewal list. No external SSL scanner. No access to the underlying secret.
The artefact
A renewal list, ready to forward to each team lead
Certificate expiry is the operations chore that becomes an outage on the day nobody owned it. Hyground encodes the discovery pass as a deterministic workflow that runs weekly and tells you who needs to act, by when, on which certificate.
Full coverage
Every cert-manager Certificate object across every cluster, every ingress and gateway that references one.
Email-ready output
A formatted list, one row per certificate, with the responsible team's lead in the to-line.
What the agent reads
The renewal state cert-manager already publishes
No external cert tracker. Every cert-manager Certificate object exposes its own expiry and renewal state. Hyground reads it and turns it into a deliverable.
Cert-manager CRDs
Certificate objects, not Secrets
Hyground reads cert-manager Certificate resources. Each one exposes notAfter, issuer and renewal state without touching the private-key Secret. The agent never needs access to the certificate data itself.
Ingress and Gateway
TLS configuration on Ingress and Gateway objects
For workloads that terminate TLS at an Ingress or Gateway, Hyground reads the referenced Certificate object and the issuer state, mapping each public hostname back to the owning team.
Ownership
Owner labels and team metadata
The Certificate's labels, annotations and namespace are matched against your ownership convention so every expiring cert lands with a named owner, not a generic platform-team queue.
What you get back
The list your platform team can act on without a second pass
Bucketed by horizon, attributed to a person and a renewal status. The artefact your audit team will accept as evidence.
01
30 / 60 / 90-day buckets
Certificates expiring in the next 30, 60 and 90 days, ranked by how critical the workload is.
02
Renewal status per cert
Whether cert-manager is renewing automatically on schedule, the renewal is overdue, or the issuer is in an error state.
03
Owner attribution
The responsible team and their team lead, with a link to the namespace and the affected ingress.
04
Email-ready renewal list
A single attachment per team, pre-filled, that you forward without retyping the rows.
Sovereign AI SRE Agent in your perimeter
Hyground is not SaaS. Hyground works as a bring-your-own-chart and bring-your-own-model, without sending any data back to us. This way, Hyground complies with highest security and data compliance standards in the AI SRE space. It speeds up incident resolution with automatic RCA and your daily work, both. Trusted by industry giants.
Related use cases
Other recurring operations work
Audit dangerous RBAC bindings
Every binding granting cluster-admin or wildcard verbs across every cluster, with subject attribution and change history.
Right-size your clusters every week
Identify over- and under-provisioned workloads against 30 days of real usage, with the monthly cost delta and HPA recommendations.
Map a new CVE blast radius
When a CVE drops, get every affected workload, owner team and upgrade path before the security team asks.
Run a certificate sweep against your clusters
Give us read access to a single cluster and Hyground will produce the renewal list against your environment in 15 minutes.