The beauty of containerization and kubernetes is that the processes work regardless of the implementation inside the containers. So, what's shown in the video will also work with a Java/Tomcat based app. You should decide if it's sufficient for your use case that TLS termination happens at the level of the ingress controller (this means traffic inside the cluster is not encrypted). Because then the process outlined here (or a similar one in the GKE ManagedCert video) works without any changes. If you absolutely need TLS termination to happen inside your container (all traffic, even inside the cluster is encrypted) then you can probably still use cert-manager to do so. Cert-manager is mostly an automation tool around completing the required Let's Encrypt challenges. As shown in the vid, the final cert once obtained is saved in a Kubernetes Secret. You can mount this secret (like any other k8s secret) to your application pods if you want. This then means that you effectively have both the private key as well as the .crt file available in your app. I'm not a Java dev (and not familiar with Tomcat), but I assume once you have those files (which is the hard part, as only the CA can sign the Cert) you can easily use them inside your containers. After all, from the perspective of the container (and this is another thing that makes this process so beautiful) it just happens to live in the local file system - without having to know where it came from :) Hope this helps a bit, for further info I'd recommend you to get familiar with the cert-manager docs. Best of luck!

You’re not wrong ;-)