DevOps and engineering teams are adopting cert-manager because it simplifies Kubernetes certificate management. However, these developers aren’t necessarily experts in machine identities, and they don’t have the experience in configuring providers and operating settings. This can slow the adoption of cert-manager, and when used with Venafi machine identity management, making it more difficult for the security team to get fast, easy adoption of cert-manager connected to enterprise policy.
To address this challenge, Venafi sought to fund a project that would make it easy to set up cert-manager and the Venafi issuers with a single command-line operation. This was the beginning of a concentrated effort of the Machine Identity Management Development Fund to fuel projects that would make one line of code for machine identities a reality for leading organizations everywhere.
That is how OpenFaaS Ltd joined the Dev Fund! OpenFaaS is a software company focused on Cloud Native technology, open-source innovation, and developer experience. They host half a dozen high-profile OSS projects like openfaas, inlets, k3sup, derek and arkade as well as provide enterprise add-ons and commercial support. Not long ago I got to catch up with Alex Ellis, Founder of OpenFaaS, about the arkade Development Fund project and the “real world” of open-source developers.
Zero Trust with cert-manager, Istio and Kubernetes
Quick background. Describe OpenFaaS and arkade.
Alex: OpenFaaS makes it easy for developers to deploy event-driven functions and microservices to Kubernetes without repetitive, boiler-plate coding. Developers can package their code or an existing binary in a Docker image to get a highly scalable endpoint with auto-scaling and metrics. The project has around 27k GitHub stars, over 330 contributors and a growing number of end-users in production.
arkade is an open-source project by OpenFaaS that is focused on making Kubernetes more accessible and easier to use for developers and IT teams. arkade packages around 40 different Kubernetes apps and 50 CLIs—all of which reduce the amount of typing and barrier to entry for users.
Each application can be combined with others for a compounding benefit, for instance, when I wrote a blog post for a client in 2019, it took 5000 words to setup a secured container registry with cert-manager. With arkade that becomes 5 simple command lines to achieve the same result.
The project is actively maintained, has a growing presence and community with around a dozen contributors and several commercial sponsorship opportunities.
We always hear about developers’ need to go fast, which may tempt them to bypass InfoSec policies because they can be a bottleneck. Is that a real thing?
Alex: Yeah, I do see that happening. And it’s not because they’re not into security or don’t want to follow policies. When you're deploying an application to Kubernetes, there’s so much involved to get things working, that security can be postponed, or shunted over to another team to take care of. Adding a TLS machine identity is easier than it was, because of cert-manager, but it's still not trivial. I see consulting and support customers who have never used Kubernetes before getting absolutely overwhelmed by the technical terms alone, which for some reason are different to other platforms. An Ingress Controller is known as a reverse proxy everywhere else, and the addition of “Custom Resources” means that each project can add its own set of new terms that need to be studied and applied correctly.
If you're on a public cloud, then arkade means you can deploy cert-manager, ingress-nginx, OpenFaaS, and get a certificate from Let’s Encrypt very, very quickly. All without leaving the terminal. The alternative takes a lot more effort, and because of where we are on the adoption curve of Kubernetes, very often people just want to get started.
Where we looked at making that better through the Development Fund project was to bring in the open source Ingress Controllers: Kong and NGINX, Inc., so that they were available for Venafi customers and the community alike. That was one of the benefits that OpenFaaS brought. We wanted to bring that same experience to Global 5000 companies, so it was great that Venafi connected with us and said, "Well, what if we could get a machine identity using Venafi issuers as quickly and easily as what you've been able to do with Let's Encrypt and cert-manager?"
Describe the approach you took to scoping out the project?
Alex: When we looked at the code for that type of integration, there was lots of text you had to copy and paste from the docs written in YAML, which developers love to hate now. If you get the indentation wrong by one character in YAML, it may fail silently, or it may fail and tell you the error is on line one when it's on line 30. Developers just don't get on with it. YAML in itself isn't evil, but when you have one that's very nested and very complex, it's difficult for humans to work with it. In addition, the documentation encouraged developers to type in secure passwords on the command-line, which are often cached and thus represents a security risk.
If you were a Global 5000 developer and you wanted to deploy a Venafi issuer for cert-manager, that was the state of play. So, we said, "Okay, can we apply the arkade principle of one command line to get a job done?" That's where we defined this project, came up with the developer experience, using my background from building developer tools like OpenFaaS. We could then use the “arkade venafi install” command and get the Trust Protection Platform (TPP) issuer installed. The TPP issuer can obtain and manage TLS certificates and machine identities from your existing Certificate Authority infrastructure.
The second part of that project was to integrate with Venafi as a Service as a cert-manager issuer. In that scenario, you just put it in a different parameter—the API key and Application information, then you can get certificates using Venafi as a Service. This is important because certificates obtained from Let’s Encrypt are limited to 90 days, and Global 5000 companies prefer a longer duration like 12 months, which is possible through Venafi’s solution.
And what about those passwords that the docs wanted us to type in on the command-line? We provided an alternative, by simply adding flags such as “--secret-file”, the secret could be read from a file mitigating the risk.
The whole certificate timeframe must be an issue, I think, and goes back to the classic “security vs. convenience” debate. Developers need machine identities now and InfoSec needs visibility and to ensure compliance for those identities.
Alex: Yeah. And it's just a bit less of a cognitive load as well. I think you could find one of the providers that creates certificates on a paid basis, similar to Let's Encrypt, but paid. All this just to have it for a year. Why not?
As a developer and as a company, I don't want to be thinking about that running out every three months and making sure all my automation is in order. So that's some of the value that our project brought, and we basically just made it much, much easier to get that benefit out of cert-manager, and other Development Fund projects that Venafi has done with Jetstack in the past.
On the other hand, the two Venafi products that we integrated with enable a security practitioner within the organisation to define a policy on the certificates that the development or ops team deploy, which also includes the standard auditing and Role-Based Authorization Control (RBAC) features.
Has arkade been well-received in the developer community?
Alex: It has a lot of developer love, because when it comes to Kubernetes, even with something as well-received as cert-manager, you're running five or six commands before you've got it on your system. Here’s a typical scenario: You've got to go to the docs. How do you get to the docs? You Google it. Then you have to click through the index to find the bit about helm. Then you have to copy and paste it in and read everything and think about it. What we do is give you the option to say “arkade install cert-manager”, and the job is done. Now on a singular level, you might go, "Well, Alex, what's the point of that, because I could just spend 20 minutes and get it?" Well, there's a compound effect. If you need Kong, cert-manager, Venafi’s Trust Protection Platform (TPP) Issuer, the Kubernetes Dashboard, OpenFaaS, and an Ingress definition for OpenFaaS, all of those 20-minute tasks add up. arkade makes each of them a single command. We can compound that time savings, and almost like interest or stock market, it's going up in value over time. We've now got over 50 open-source apps. Two of those were added through the Venafi Development Fund project just to benefit the greater community.
Want to know more? You can start by visiting arkade by OpenFaaS today on the Venafi Marketplace.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.
Cover every cluster with ease and efficiency.
Related posts
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.