cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide ‘certificates as a service’ to developers working within your Kubernetes cluster. cert-manager is very popular with tens of thousands of users.
cert-manager can be used for many different use cases within your clusters, including mutual TLS (mTLS) between workloads, and for securing traffic from end users with ingress. cert-manager provides integrations with many different ways of obtaining those certificates, including Let’s Encrypt, Control Plane for Machine Identities, and a Certificate Authority issuer that allows for signing with a CA certificate obtained from any source.
CAS Issuer for cert-manager
Today we are announcing that we are adding another integration option: Google Cloud’s new Certificate Authority Service.
The Google Cloud Certificate Authority Service (CAS) provides:
- Private CAs “as a service” for internal workloads (as opposed to something like Let’s Encrypt where the certificates will be public)
- Automation and auditing
- Secure storage of the CA key, as Google CAS leverages HSMs that are FIPS 140-2 Level 3 validated
Read more about the full set of features in the product documentation.
How it works
Working closely with Google, we developed an external Issuer for cert-manager, in order to automate the lifecycle of certificates with a CAS-managed CA. The CAS Issuer is a separate controller to cert-manager and runs its own pod, enabling you to use the same interfaces to create and manage certificates in Kubernetes as you would publicly-trusted certificates (e.g. Let’s Encrypt).
kubectl get googlecasclusterissuers NAME AGE googlecasclusterissuer-sample 10s
You can now create certificates as normal, but you just need to ensure the
IssuerRef is set to the Google CAS Issuer.
cat <<EOF | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: demo-certificate namespace: default spec: # The secret name to store the signed certificate secretName: demo-cert-tls # Common Name commonName: cert-manager.io.demo # DNS SAN dnsNames: - cert-manager.io - jetstack.io # Duration of the certificate duration: 24h # Renew 8 hours before the certificate expiration renewBefore: 8h # Important: Ensure the issuerRef is set to the issuer or cluster issuer configured earlier issuerRef: group: cas-issuer.jetstack.io kind: GoogleCASClusterIssuer name: googlecasclusterissuer-sample EOF
In short time, the certificate will be requested and made available to the cluster.
kubectl get certificates,secret NAME READY SECRET AGE certificate.cert-manager.io/bar-certificate True demo-cert-tls 1m NAME TYPE DATA AGE secret/demo-cert-tls kubernetes.io/tls 3 1m
The certificate in this example had a duration of 24h, and cert-manager will automatically renew it 8h prior to expiry. You could also manually renew it with the kubectl plugin.
Project and service availability
You can give this a try today! The Google Cloud Authority Service is in public beta and the CAS Issuer for cert-manager, developed and maintained by Venafi experts from Jetstack, is available and open source now.
If you would prefer an easier setup then keep an eye out for a supported offering in the Google Cloud Marketplace. We will share an announcement when it is available with all the details you will need to get started.