Managing and automating machine identities for cloud native environments with cert-manger is popular. Hugely popular. Over 500 million downloads a year! Let’s talk a bit about what it does and why it’s so widely used.
At the turn of the year, in its End User Technology Radar (a guide for evaluating cloud native technologies, on behalf of the CNCF End User Community) cert-manager was highlighted as being the go-to platform for secrets management amongst Kubernetes users. A massive coup given its relative infancy.
And whilst our cert-manager team were obviously thrilled to learn that our open-source project had become so widely deployed, what was perhaps even more encouraging was that certificate management was so high on the agenda for many that had turned to Kubernetes’ orchestration capabilities.
But for those new to the world of certificate management—what even is cert-manager? And why is it downloaded by Kubernetes users more than 500 millions times a year?
To put what cert-manager does into context, you’ll first need to be familiar with Public Key Infrastructure (PKI)—the unsung hero of cybersecurity. But don’t worry, if you’re yet to come across the term this article will bring you up to speed. However, for those that are already up close and personal with the world of cryptography and certificate authorities (CAs), let’s crack on.
What is cert-manager?
Cert-manager is an open source project—originally created by Jetstack—that manages X.509 certificates specifically for cloud native Kubernetes or OpenShift environments. And as noted in a CNCF blog published earlier in the year, this functionality has become somewhat synonymous with machine identity management for those operating cloud native environments.
Using TLS encryption to secure connections between users’ browsers and web applications across the Internet, X.509 certificates have become somewhat standard practice for public Certificate Authorities (CAs) like Let’s Encrypt. Deployed as part of a PKI, this is a method of encryption that developers turn to ensure web applications are protected when running in a cloud environment with Ingress (not sure what an Ingress is? Check out this article).
In an alternative universe without cert-manager, manually finding and configuring TLS certificates is an onerous task. Fortunately, back in the real world, we can use cert-manager to automate this process due to its integration with popular certificate issuers (both public and private). Meaning you can issue or renew certificates without lifting a finger.
The popularity of cert-manager comes from the fact that it solves a genuine problem for developers who want to use a solution that automates a development task that frees them to focus on building better and faster. As such, development team productivity increases, security is better managed, and web applications perform better.
Its tremendous rise in popularity across the cloud native ecosystem motivated Jetstack to donate cert-manager to CNCF in November last year. Commenting on the switch, Jetstack’s CTO, Matthew Bates, was quoted as saying:
“Cert-manager is widely used; it has a large user base and following, and projects across the ecosystem integrate with it. Jetstack, with the support of our parent company Venafi, believes such a foundational component belongs in the CNCF, with its vendor-neutrality, alongside many of the projects that rely on it and would benefit from a close collaboration. Being part of the CNCF will enable the project to attract a diverse contributor base and help to promote partnership and cooperation with many ecosystem projects, including those in the CNCF.”
What are other use cases for cert-manager?
Ingress protection is essential for the safe, secure management of workloads in Kubernetes—and this core use case has been instrumental towards cert-manager’s rise in popularity. However, it’s not the only way that developers can use the tool to automate workloads.
There are two other use cases worth exploring.
The first use case is for enforcing protection through mTLS (Learn about mTLS).
In production environments, developers often build internal workloads that are not exposed to Ingress—and therefore need to be protected through other means. Enter mTLS (between pods). This type of deployment protects workloads against attacks from within. Larger companies with established CISO departments see the use of mTLS as essential to reinforce protection and underpin zero trust networking principles.
Managing workloads in a service mesh
Related to mTLS, the growing popularity of service mesh (Learn about service meshes) tooling is the second use case for cert-manager.
Indeed, the tool is similarly relevant as a native integration point for different service meshes such as Istio or Linkerd. The cert-manager control plane can be used to control data flows that require automated protection. That’s something for which cert-manager is best placed to provide in cloud native environments.
Standardise your approach to certificate management
Whilst cloud-native deployments continue to grow in popularity—both for new and existing applications—many enterprises, stung by previous experiences, have used this as an opportunity to avoid vendor lock-in and deploy a multi-cloud approach.
Fortunately, as a cloud agnostic, open-source solution, cert-manager can be deployed without worry. No matter your underlying technology stack, cert-manager can be used to help you to standardise your approach to certificate management.