cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide ‘certificates as a service’ to developers working within your Kubernetes cluster. cert-manager is very popular with tens of thousands of users.
cert-manager can be used for many different use cases within your clusters, including mutual TLS (mTLS) between workloads, and for securing traffic from end users with ingress. cert-manager provides integrations with many different ways of obtaining those certificates, including Let’s Encrypt, Control Plane for Machine Identities, and a Certificate Authority issuer that allows for signing with a CA certificate obtained from any source.
CAS Issuer for cert-manager
Today we are announcing that we are adding another integration option: Google Cloud’s new Certificate Authority Service.
The Google Cloud Certificate Authority Service (CAS) provides:
- Private CAs “as a service” for internal workloads (as opposed to something like Let’s Encrypt where the certificates will be public)
- Automation and auditing
- Secure storage of the CA key, as Google CAS leverages HSMs that are FIPS 140-2 Level 3 validated
Read more about the full set of features in the product documentation.
How it works
Working closely with Google, we developed an external Issuer for cert-manager, in order to automate the lifecycle of certificates with a CAS-managed CA. The CAS Issuer is a separate controller to cert-manager and runs its own pod, enabling you to use the same interfaces to create and manage certificates in Kubernetes as you would publicly-trusted certificates (e.g. Let’s Encrypt).
You can now create certificates as normal, but you just need to ensure the
IssuerRef is set to the Google CAS Issuer.
In short time, the certificate will be requested and made available to the cluster.
The certificate in this example had a duration of 24h, and cert-manager will automatically renew it 8h prior to expiry. You could also manually renew it with the kubectl plugin.
Project and service availability
You can give this a try today! The Google Cloud Authority Service is in public beta and the CAS Issuer for cert-manager, developed and maintained by Venafi experts from Jetstack, is available and open source now.
If you would prefer an easier setup then keep an eye out for a supported offering in the Google Cloud Marketplace. We will share an announcement when it is available with all the details you will need to get started.