We’re delighted to announce the CNCF Technical Oversight Committee (TOC) has voted to accept cert-manager as a CNCF incubating project. This is a huge milestone for the community of developers that have maintained and contributed to the project, and is massively encouraging for the very many enterprise users of cert-manager who actively deploy cert-manager to their production environments. Venafi experts from Jetstack have worked closely and diligently with CNCF to reach this important point and we are very grateful to the CNCF and their Technical Oversight Committee (TOC) for their full endorsement.
Before being acquired by Venafi, Jetstack created the cert-manager project in 2015. It was kicked-off by a few passionate engineers, who all instinctively saw the need to give developers a more automated and better integrated solution when issuing and renewing X.509 certificates for workloads deploying to a Kubernetes platform. What this small team started in 2015 has now grown to become the defacto open source solution for cloud native certificate management and is now a strategic solution for enterprises building with Kubernetes.
“cert-manager is probably one of the first applications you install on a Kubernetes cluster. The cert-manager maintainers aim to make this first experience as smooth as possible, while supporting the advanced use cases through our accompanying components, like csi-driver and approver-policy.” - Tim Ramlot, Software Engineer at Jetstack and cert-manager maintainer.
Some key stats on the project include:
- Widespread adoption, with 1.5 million downloads per day across industries including financial services, technology, retail, healthcare and manufacturing
- 9,500 GitHub stars
- Default installation on 86% of new production clusters
- A 99% approval rating from users across infrastructure of all kinds
- Integration with multiple certificate authorities (CAs), and alignment with multiple open source projects, including Cilium, Knative, SPIRE, Istio and Linkerd
- Contributions from commercial PKI solutions, such as AWS (PCA) and Google (CAS)
As well as the main cert-manager controller components to create certificates backed by Kubernetes Secrets containing the keys for your certificate, the project has evolved to include these additional components:
- csi-driver: cert-manager has several implemented CSI drivers, such as csi-driver-spiffe, as well as the generic csi-driver, that deliver certificate key pairs to Pods in Kubernetes. There is also a CSI driver library that enables users to easily build their own opinionated CSI drivers.
- Issuers: cert-manager has a wide range of certificate issuers, including built-in integrations for third-party providers such as LetsEncrypt and Venafi, as well as external issuers including AWS Certificate Authority Service and Google (CAS).
- Approval API: The approval API is a mechanism in cert-manager to approve or deny certificate requests. Decisions on this API can be automated, like in the case of approver-policy, a CRD based policy controller.
- trust-manager: As part of the cert-manager team’s initiative to improve trust distribution in Kubernetes, trust-manager is an early project intended to help users distribute CA bundles across multiple clusters.
On a personal note, I would like to say how proud I am of the Jetstack team, their dedication and continued commitment to open source excellence and thought leadership. We are humbled by the trust and support from our users and the community and this endorsement from the CNCF. Having now reached incubation status we look forward to working further with the CNCF to fully establishing cert-manager as the principal open source solution for modern machine identity security.
Come celebrate with us at KubeCon NA
If you will be in Detroit next week for KubeCon NA, the cert-manager team has its own booth in the CNCF Project Pavilion, so do drop by and speak directly with the team who maintain the project. We are always very keen to learn more about how cert-manager is used and you can pick up your very own hand-stamped digital certificate, issued directly by cert-manager.
The team is also hosting talks during the event, including a technical session on how to use cert-manager in conjunction with SPIFFE for edge clusters, and there will be a maintainer session for users to come learn more about the project and how to operate cert-manager at scale for multi-cluster production environments. We hope to see you there.