Kubernetes / Security / Sponsored

Jetstack’s cert-manager Joins the CNCF Sandbox of Cloud Native Technologies

25 Nov 2020 4:00am, by

Honeycomb is sponsoring The New Stack’s coverage of Kubecon+CloudNativeCon North America 2020.

The Cloud Native Computing Foundation (CNCF) has added yet another sandbox project to its portfolio of emerging cloud native computing technologies: cert-manager, a native certificate-management controller for Kubernetes and Red Hat OpenShift. The sandbox is a place for experimentation with early-stage projects before they advance to incubator status.

Created by London-based professional services company Jetstack three years ago, cert-manager automates the management of x509 machine identities within Kubernetes and OpenShift.

Salt Lake City-based Venafi, a vendor of certificate and key management for machine-to-machine connections, acquired Jetstack in May. The project recently released v1.0 and Jetstack announced enterprise support.

“It’s been several years in the making to get to 1.0, and we’re hugely thankful to a community of over 250 contributors, and many end-users, to get it to where it is today. This is a foundational add-on to many Kubernetes and OpenShift clusters, and the project will benefit from being part of the CNCF and its ecosystem,” said Matt Bates, CTO and co-founder of Jetstack. It has 6,600 stars on GitHub.

He said the Jetstack team, while helping clients use Kubernetes, saw certificate management as an interesting problem posed on GitHub. They gave the problem to a job candidate, James Munnelly, who over one weekend came up with the early bones of Kube-Lego for automating Let’s Encrypt TLS-enabled web services running in Kubernetes. (And yes, he got the job!)

While Kube-Lego was popular for a few years, the team wanted to extend the project to support various types of certificate authorities (CAs), including private ones used internally at companies.

That involved using the custom resource definitions built in Kubernetes to extend the Kubernetes API.

“The aim was to be extensible, that we could make certificate authorities part of the Kubernetes API. So make them a first-class citizen, so they could be managed in the same way the developers could manage their infrastructure,” Bates said.

With cert-manager, security teams can offer self-service “certificates-as-a-service,” making it easy for developers working with a Kubernetes cluster to request machine identities to secure applications. A single API interacts with multiple public and private certificate authorities, and a cert-manager handles the automation of the certificate lifecycle. Users can obtain certificates from a variety of issuers and ensure that they are valid, up-to-date and renewed at a configured time.

It supports ACME (Let’s Encrypt, HasiCorp Vault, Venafi, self-signed and internal certificate authorities. It also can support custom, internal and otherwise unsupported CAs.

It’s just the latest CNCF sandbox project. Others joining recently:

  • LitmusChaos, a cloud native chaos engineering framework for Kubernetes in June.
  • In August, Rancher’s Rancher’s K3S, a slimmed-down Kubernetes distribution for resource-constrained environments such as edge deployments.
  • And earlier in November, Kyverno, the open source Kubernetes-native policy engine built by Nirmata.

“We just saw cert-manager as being a very foundational component to many Kubernetes and OpenShift clusters… that should belong in the foundation where it can sit alongside and cooperate with other projects that wish to use it,” Bates said.

“We’ve already worked with a number of projects; we’ve already got integration with Microsoft’s Open Service Mesh. And we’re looking forward to some integrations with the projects like SPIFFEE and SPIRE, as well, as Kyverno. I think being in the foundation gives a lot of people the confidence that they can use this code, [that] the project is managed in the best interest of the community, it’s vendor-neutral.”

Image by Manfred Richter from Pixabay.