cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide ‘certificates as a service’ to developers working within your Kubernetes cluster. cert-manager is very popular with tens of thousands of users.
cert-manager can be used for many different use cases within your clusters, including mutual TLS (mTLS) between workloads, and for securing traffic from end users with ingress. cert-manager provides integrations with many different ways of obtaining those certificates, including Let’s Encrypt, Control Plane for Machine Identities, and a Certificate Authority issuer that allows for signing with a CA certificate obtained from any source.
CAS Issuer for cert-manager
Today we are announcing that we are adding another integration option: Google Cloud’s new Certificate Authority Service.
The Google Cloud Certificate Authority Service (CAS) provides:
- Private CAs “as a service” for internal workloads (as opposed to something like Let’s Encrypt where the certificates will be public)
- Automation and auditing
- Secure storage of the CA key, as Google CAS leverages HSMs that are FIPS 140-2 Level 3 validated
Read more about the full set of features in the product documentation.
How it works
Working closely with Google, we developed an external Issuer for cert-manager, in order to automate the lifecycle of certificates with a CAS-managed CA. The CAS Issuer is a separate controller to cert-manager and runs its own pod, enabling you to use the same interfaces to create and manage certificates in Kubernetes as you would publicly-trusted certificates (e.g. Let’s Encrypt).
Getting started
Follow the open source project documentation to set-up the perquisites, build and install the controller and configure the CAS Issuer.
kubectl get googlecasclusterissuers
NAME AGE
googlecasclusterissuer-sample 10s
You can now create certificates as normal, but you just need to ensure the IssuerRef
is set to the Google CAS Issuer.
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: demo-certificate
namespace: default
spec:
# The secret name to store the signed certificate
secretName: demo-cert-tls
# Common Name
commonName: cert-manager.io.demo
# DNS SAN
dnsNames:
- cert-manager.io
- jetstack.io
# Duration of the certificate
duration: 24h
# Renew 8 hours before the certificate expiration
renewBefore: 8h
# Important: Ensure the issuerRef is set to the issuer or cluster issuer configured earlier
issuerRef:
group: cas-issuer.jetstack.io
kind: GoogleCASClusterIssuer
name: googlecasclusterissuer-sample
EOF
In short time, the certificate will be requested and made available to the cluster.
kubectl get certificates,secret
NAME READY SECRET AGE
certificate.cert-manager.io/bar-certificate True demo-cert-tls 1m
NAME TYPE DATA AGE
secret/demo-cert-tls kubernetes.io/tls 3 1m
The certificate in this example had a duration of 24h, and cert-manager will automatically renew it 8h prior to expiry. You could also manually renew it with the kubectl plugin.
Project and service availability
You can give this a try today! The Google Cloud Authority Service is in public beta and the CAS Issuer for cert-manager, developed and maintained by Venafi experts from Jetstack, is available and open source now.
If you would prefer an easier setup then keep an eye out for a supported offering in the Google Cloud Marketplace. We will share an announcement when it is available with all the details you will need to get started.
When our experts are your experts, you can make the most of Kubernetes
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.