Wow! The success of cert-manger has surpassed my wildest dreams. When we came up with the idea to make certificate management easier for developers, we never dreamed that we would be creating a de facto standard for cloud native machine identity security. At the time, we just had a gut feeling that Kubernetes was going to be really, really big and that developers would need to streamline the process of deploying x.509 certificates in containers. We also suspected that we'd make security happy by giving them tools to assist in that ephemeral space. Little did we suspect that this would lead to runaway popularity that would drive 500 million downloads a month.
And now cert-manager has scored the ultimate cloud native validation as the Cloud Native Computing Foundation (CNCF) announces its graduation. This is a big deal coming from the CNCF, which is a well-recognized organization that builds sustainable ecosystems for cloud native software. Now, our project, ‘cert-manager,’ will now sit alongside technical titans like Kubernetes, Istio and etcd. Amazingly, these are the very projects that inspired us to start the company Jetstack and launch the cert-manager project.
So what exactly did we create in cert-manager? Its main function is to help cloud native developers automate the issuance and renewal of TLS and mTLS (Mutual Transport Layer Security) certificates. The secure communication that cert-manager enables within distributed systems radically simplifies the lifecycle management of X.509 certificates in Kubernetes platforms. But it’s valuable to security teams as well. By eliminating the manual process of generating and managing certificates, cert-manager helps ensure systems remain secure without constant manual intervention.
And how did we get to this point? Here’s a brief history. We created cert-manager in 2017 at Jetstack, which is now a part of Venafi, a CyberArk company. We then donated cert-manager to CNCF, and it was accepted into the CNCF Sandbox in November 2020. Over the past four years, it has continued to grow, bringing in new maintainers, expanding its user base, and adding key features in response to community needs. It has built a network of more than 450 contributors and issued more than 200 releases. It moved to the Incubating maturity level in 2022 and today plays a vital role in the CNCF ecosystem by integrating with other projects like Kubernetes, SPIFFE, Istio, Prometheus, and Envoy to strengthen cloud native infrastructure security across diverse environments.
Cloud Native Certificate Management - Exploring How cert-manager is Used in Kubernetes Production Environments
And now cert-manager has graduated. But honestly, we never set out to gain graduation, we simply aimed at putting ourselves in a position to make a success of an open source company. But we were always focused on what developers needed to accelerate machine identity security. If I look back to my notes from 10 years ago, the ‘grand’ strategy was simple:
- Make money from services around Kubernetes
- Spot security gaps in how people use Kubernetes
- Fill with open source and make it a success in the community
- Build proprietary features around that project and sell as ARR
Amazingly, via the ‘start-up squiggle’ this has roughly come to pass.
Not only do we have billions of downloads a year, but we’ve also seen dozens of companies using our extended enterprise-grade product, TLS Protect for Kubernetes, to their advantage. This solution helps security teams monitor and secure instances of cert-manger by providing discovery, observability, control and consistency of cloud native machine identities across complex multi-cloud and multi-cluster environments. TLS Protect for Kubernetes also monitors the health, status and configuration of cert-manager across all Kubernetes clusters, regardless of cloud platform configuration used.
Plus, we have seen the amazing value of this open source project for developers. User research suggests 86 percent of new production clusters are created with cert-manager deployed as standard practice to manage the issuance and renewal of TLS and mTLS certificates. It has subprojects to help with a variety of tasks, including secretless issuance, trust store management, and certificate policy enforcement. It has also extended support for external issuers such as AWS Private CA, Google CAS, and HashiCorp Vault while integrating with service meshes to enhance security across cloud native environments.
That’s quite a pedigree for the ambitious little project that we started seven years ago as a little upstart in London. In the process we’ve had ups, downs and many laughs, but have also watched in awe as the cloud native ecosystem grew to become the very foundation of IT infrastructure as we know it.
None of this would be possible without the ability to attract and hire the best, and I’m immensely proud and grateful to the team we managed to build, all of whom played their role in helping us to get here.
We’ve graduated and now as part of the CyberArk family, the leader in identity security, cert-manager is helping provide the foundation for an even broader set of capabilities for securing machine identities. I’m excited about the future and as I look forward to the next 10 years in cloud native, I’m wondering who is building the next CNCF project or starting the next Jetstack, ready to disrupt and innovate their way to secure the future of cloud infrastructure. Whoever it is, good luck!