Jetstack joyride: open source cert-manager ‘graduates’ to V1
Open source company Jetstack was acquired by Venafi (a certificate and key management for machine-to-machine connections specialist vendor) back in May of 2020.
So was that good for the open community and what should we be thinking about next?
First let’s look at what Jetstack does.
Jetstack is the creator and major contributor to the cert-manager open source project, a Kubernetes certificate management controller which enjoys some 1.5 million downloads a day.
In usage, cert-manager is said to be the fastest and easiest way for developers to create, connect and consume certificates with Kubernetes and cloud-native tools to securely deploy and operate applications, including modern software architectures such as microservices.
As readers will know, developers create and use a bunch of certificates when building software to securely deploy and operate applications.
But, as many of us also obviously know, hackers try and steal/utilise certificates to hack applications and communications channels.
Today, cert-manager is used in production by many of the world’s largest organisations at scale, across multiple clouds and at the edge (for IoT edge computing).
The V1 release is released this September 2020.
So how do developers use this kind of technology to deal with certificates in the day-to-day use of cloud as Kubernetes proliferates and microservices deployments increase?
Permeating the cloud-native ecosystem
Its creators say that cert-manager ‘permeates the cloud native ecosystem’ and is widely used with inside other projects and organisations including Nginx, Istio, Knative, Kubeadm and Cluster API and others. The use of cert-manager integrations with ISV software and other cloud offerings are also increasing.
In terms of robustness, cert-manager allows developers to request (Transport Layer Security) TLS machine identities for their Kubernetes workloads, while allowing for monitoring and policies to be enforced. Further here, it makes it very easy to secure Kubernetes workloads using TLS machine identities.
This technology is relied on to provide the TLS machine identities for a variety of use cases and to keep those machine identities current and compliant with policy. It can be used for ingress, that is securing the endpoint that end-users access, as well as for internal communication such as mutual TLS between workloads.
“Machine identities are fundamental to secure systems. In cert-manager, we make it much easier for developers to secure applications in Kubernetes and OpenShift, automating the toil of X.509 certificate issuance and renewal from a certificate provider of choice. No more complex and esoteric openssl commands at the CLI, but certificate automation that’s built into the platform, providing machine identity to the application workload, all completely managed for the developer,” said Matt Bates, CTO, Jetstack.
It’s one less complex infrastructure component to manage, and it’s been transformative to organisations that were previously used to the rigmarole of manual operations that often involved use of emails and spreadsheets! With this high level of automation, this also of course means improved security posture and reduced chance of outage, as well as control and visibility for security teams,” added Bates.
Examples of use cases here include cert-manager being used in the telecoms industry to secure communication with a MySQL server.
Other deployments have seen cert-manager used in footwear retail to encrypt connections with client terminals in stores.
Certificates are graduating and becoming more important and more manageable via technologies like cert-manager, especially in the world of Kubernetss and microservices.