cert-manager is a cloud native certificate management tool that automatically issues and renews X.509 machine identities as first-class resource types within Kubernetes. To do this, cert-manager needs to be deployed inside a Kubernetes cluster. Once inside, cert-manager can issue and renew certificates for all the machine identities contained within a cluster, no matter how short their lifespans become.
Organizations that use cert-manager reduce the likelihood of certificate-based outages and secure their workloads by verifying all the machine identities are contained within a Kubernetes cluster. Without cert-manager, manually finding and configuring TLS certificates is ridiculously burdensome, and time-consuming. Thankfully, cert-manager solves this very real issue developers are faced with on a near constant basis!
How does cert-manager work?
To quote cert-manager directly, “cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.” It encrypts cloud native workloads by issuing and renewing certificates that have been obtained as part of a PKI.
In terms of flow, Issuers are a Kubernetes resource that represents a Certificate Authority. This is the resource type that will generate the signed certificates when a request is made by cert-manager. Whereas Certificates will specify the type of certificate that is required, detailing how long the certificate should be valid for, renewal terms, and the required issuer. Once issued, subsequent certificates will be stored as a Kubernetes Secret.
What cloud service providers (CSPs) are compatible with cert-manager?
cert-manager is an open-source project that builds on top of Kubernetes to provide X.509 certificates and issuers as first-class resource types. Fast-forward a few years and enterprise DevOps teams are deploying cert-manager to production clusters with all the major cloud service providers (CSPs):
- Red Hat OpenShift
- Google Kubernetes Engine (GKE)
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- VMware Tanzu
How to get started with cert-manager?
The cert-manager docs site is the best go-to resource for all things technical. Check out these helpful guides to get you started:
- cert-manager installation guide
- cert-manager issuer configuration
- cert-manager tutorials
- cert-manager FAQs
- cert-manager release notes
Does cert-manager allow for Zero Trust?
cert-manager is a certificate management tool that allows an organization to enact the founding principles of Zero Trust. Organizations can use cert-manager to secure the machine identities of east-to-west traffic as well as ingress.
With cert-manager, developers can ensure that every workload deployed to your Kubernetes platform is from a legitimate and verified source. This is widely accepted as a best practice container security, which developer teams can rely on to ensure they can move fast and secure.
How does cert-manager enable DevSecOps?
DevSecOps stands for development, security, and operations. It’s an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle. Through this lens, cert-manager can serve as the means to push pre-approved certificates to cloud native workloads.
Of course, there will be a myriad of other issues that need to be tackled at the same time, including culture, visibility, versioning etc. Even so, cert-manager can provide organizations the means to scale a tried and trusted solution type (PKI) to cloud native environments.
