In November last year we announced cert-manager integration with the new Google Certificate Authority Service (CAS) that was in public preview. Google has now announced General Availability (GA) of its CAS which provides:
- Private CAs “as a service” for internal workloads (as opposed to something like Let’s Encrypt where the certificates will be public)
- Automation and auditing
- Secure storage of CA keys, as Google CAS leverages HSMs that are FIPS 140-2 Level 3 validated
The most recent announcement from Google on their CAS being fully available adds yet more capability to cert-manager and extends its range of issuers to give customers extended flexibility and choice when it comes to selecting a preferred PKI solution for automated X.509 certificate issuance and renewal with Kubernetes and OpenShift.
With Google CAS now a cert-manager issuer, platform teams have even more confidence to standardize on cert-manager fully throughout the infrastructure for all X.509 certificates - public and private. This is particularly relevant when deploying workloads across multi-cloud environments, since cert-manager is CA-agnostic and is ideal to easily secure workloads across new environments, irrespective of the underlying service provider infrastructure.
Private PKI and Cloud Native
Enterprise platform teams running cloud native infrastructure with Kubernetes are increasingly looking to private PKI automation and distribute certificates for secure inter-workload communications at scale. For example, with service mesh such as Istio, workloads are mutually authenticated using short-lived X.509 TLS certificates. With cert-manager’s range of issuers and support for Istio service mesh, GCP customers now have the additional option to integrate Google’s own private PKI service in CAS to work with the already highly popular cert-manager open source solution.
Google CAS joins a range of issuers in the community that integrate with cert-manager for private PKI use cases, which includes Venafi, HashiCorp Vault and AWS PCA. Multi-cloud infrastructure continues to be one of the key areas of growth as companies look to build with a combination of cloud providers. Having immediate access to a range of certificate issuers allows these companies to provide different PKI capabilities to different internal teams or environments. This allows development teams to easily use a combination of both private and public PKI when this is needed.
Ready for TLS Protect for Kubernetes
Google CAS and cert-manager integration is available today with TLS Protect for Kubernetes. TLS Protect for Kubernetes provides a control plane with configuration controls and visibility across a fleet of clusters, providing platform and security teams detailed views of the operational and security posture. For instance, TLS Protect for Kubernetes will provide extra visibility of each X.509 certificate, in relation to its configuration and status, and surface errors and warnings, including the health of each instance of cert-manager and the CAS issuer. This is all based around an intuitive web-based management interface, with the option to direct alerts to Slack. TLS Protect for Kubernetes will prevent misuse of badly configured certificates, provides consistency at scale to manage increasing volumes and a variety of certificate requests, and hardens the enterprise security posture by supporting the platform team’s need to implement best practices.
One-click install and upgrade at GCP Marketplace
GCP customers can now deploy a fully integrated package, including cert-manager and the Google CAS issuer, direct from the GCP Marketplace. TLS Protect for Kubernetes for cert-manager provides full visibility of all CAS certificates, including status and details, across multiple clusters.