cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters and simplifies the process of obtaining, renewing, and using those certificates.
It can issue certificates from a variety of supported sources, including Let’s Encrypt, HashiCorp Vault, and Venafi as well as private PKI, and it ensures certificates remain valid and up to date, attempting to renew certificates at an appropriate time before expiry.
The solution is available on GitHub under an Apache-2.0 license.
Matt Barker, President, Cloud Native Services at Venafi, offers insight about cert-manager for Help Net Security readers.
What are cert-manager’s most prominent features?
cert-manager is an open-source project that automates the issuance and renewal of X.509 certificates for cloud-native Kubernetes or OpenShift environments. As cloud native environments are highly distributed with high levels of automation, developers and security teams rely on cert-manager to authenticate and secure communication between Kubernetes workloads, containers, and clusters. This reduces the likelihood of certificate-based outages and protects Kubernetes environments by verifying machine identities.
It integrates with popular public and private Certificate Authorities (CAs), as well as other open-source projects like Istio service mesh, and has contributors from commercial PKI solutions such as AWS and Google. It’s become the de facto standard in cloud-native machine identity management and is regarded as an essential tool for securing Kubernetes environments.
cert-manager is immensely popular, featuring more than a million daily downloads. What are the challenges of maintaining such a high-profile open-source project?
Because of the nature and popularity of the project, one of the main challenges is ensuring that cert-manager continues to show strategic value to the cloud native landscape. We welcome the feedback that we get on the project. But as it has over 1.5 million downloads per day and is widely popular throughout the developer community, it can be a challenge to move at the same speed as our users’ and ensure it caters to their wants and needs. The Jetstack team continues to create over 70% of all code committed to cert-manager, largely so that we can make sure it’s a reflection of the feedback we receive.
Also, the ethos of open source – flexibility and agility – was one of the driving factors behind cert-manager, and is critical to its success, but it also means that diligently maintaining the project is a challenge. We have a duty to keep an eye on contributions to the project and ensure that they’re not only of sufficient quality, but also aren’t putting cert-manager’s users at risk. With a broad and diverse array of contributors, this isn’t always easy, but we relish the community collaboration that cert-manager has fostered.
What are your long-term plans for cert-manager?
Our long-term plan for cert-manager will always be to make sure that it’s delivering value to the community. We’re looking forward to the continued evolution of the project and driving new use cases. For instance, it will be exciting to see how developers can use cert-manager when delivering secure service mesh via TLS to add more value, trust distribution, and how it might support multi-cloud, multi-cluster use cases too. As the cloud native ecosystem grows, more challenges will arise. We want to make sure cert-manager is equal to this and has the flexibility to respond to change.
cert-manager has also just been accepted to the CNCF incubation program. This is vital to delivering our long-term plans. Since joining the CNCF Sandbox, the project has benefitted from greater visibility in the cloud native ecosystem, with enhanced community interaction, increasing our number of contributors, and GitHub Stars.
With the way IT is growing, CNCF is going to continue to become central to not just IT, but business strategy. cert-manager being part of a suite of important and influential projects means that we can really drive opportunity and the adoption of the project among developers.