Private PKI and Cloud Native
Enterprise platform teams running cloud native infrastructure with Kubernetes are increasingly looking to private PKI automation to distribute certificates for secure inter-workload communications at scale. For example, with service mesh such as Istio, workloads can be mutually authenticated using short-lived X.509 TLS certificates.
In addition, multi-cloud infrastructure continues to be one of the key areas of growth as companies look to build with a combination of cloud providers. Having immediate access to a range of certificate issuers allows these companies to provide different PKI capabilities to different internal teams or environments. This allows development teams to easily use a combination of both private and public PKI when this is needed.
On July 8, Google Cloud announced general availability (GA) of its Certificate Authority Service (CAS) which provides private CAs “as a service” for internal workloads. This approach is different than a CA like Let’s Encrypt where the certificates are public. Google CAS also includes automation, auditing and secure storage of CA keys, as Google Cloud CAS leverages HSMs that are FIPS 140-2 Level 3 validated.
Automating certificate lifecycles in Google CAS
Through an integration announced last November, cert-manager has Google CAS support for Google CAS and provides full lifecycle automation of certificates with a CAS-managed CAs. Essentially, The CAS Issuer works using a separate controller to cert-manager and runs its own pod, enabling developers to use the same Kubernetes-native interfaces to create and manage certificates in Kubernetes as they would use for publicly trusted certificates.
With cert-manager’s range of issuers and support for Istio service mesh, Google Cloud customers now have the additional option to integrate Google’s own private PKI service in CAS to work with the already highly popular cert-manager open source solution.
Having Google Cloud CAS act as a cert-manager issuer gives platform teams even more confidence to standardize on cert-manager fully throughout the infrastructure for all X.509 certificates—public and private. This is particularly relevant when deploying workloads across multi-cloud environments, since cert-manager is CA-agnostic and is ideal to easily secure workloads across new environments, irrespective of the underlying service provider infrastructure.
Ready for TLS Protect for Kubernetes?
Google Cloud CAS and cert-manager integration is available today with TLS Protect for Kubernetes. TLS Protect for Kubernetes provides a control plane with configuration controls and visibility across a fleet of clusters, providing platform and security teams detailed views of the operational and security posture. For instance, TLS Protect for Kubernetes will provide extra visibility of each X.509 certificate, in relation to its configuration and status, and surface errors and warnings, including the health of each instance of cert-manager and the CAS issuer. This is all based around an intuitive web-based management interface, with the option to direct alerts to Slack. TLS Protect for Kubernetes will prevent misuse of badly configured certificates, provides consistency at scale to manage increasing volumes and a variety of certificate requests, and hardens the enterprise security posture by supporting the platform team's need to implement best practices.
One-click install and upgrade at Google Cloud Marketplace
Google Cloud customers can now deploy a fully integrated package, including cert-manager and the Google Cloud CAS issuer, direct from the Google Cloud Marketplace. TLS Protect for Kubernetes for cert-manager includes access to the TLS Protect for Kubernetes service, and provides full visibility of all CAS certificates, including status and details, across multiple clusters.