Integrating cert-manager with Google Cloud Certificate Authority Service

Written by Jake Sanders

			Integrating cert-manager with Google Cloud Certificate Authority Service
Integrating cert-manager with Google

Published on our Cloud Native Blog.
Tagged with

cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide ‘certificates as a service’ to developers working within your Kubernetes cluster. cert-manager is very popular with tens of thousands of users.

cert-manager can be used for many different use cases within your clusters, including mutual TLS (mTLS) between workloads, and for securing traffic from end users with ingress. cert-manager provides integrations with many different ways of obtaining those certificates, including Let’s Encrypt, Venafi Trust Protection Platform, and a Certificate Authority issuer that allows for signing with a CA certificate obtained from any source.

CAS Issuer for cert-manager

Today we are announcing that we are adding another integration option: Google Cloud’s new Certificate Authority Service.

The Google Cloud Certificate Authority Service (CAS) provides:

  • Private CAs “as a service” for internal workloads (as opposed to something like Let’s Encrypt where the certificates will be public)
  • Automation and auditing
  • Secure storage of the CA key, as Google CAS leverages HSMs that are FIPS 140-2 Level 3 validated

Read more about the full set of features in the product documentation.

How it works

Working closely with Google, we developed an external Issuer for cert-manager, in order to automate the lifecycle of certificates with a CAS-managed CA. The CAS Issuer is a separate controller to cert-manager and runs its own pod, enabling you to use the same interfaces to create and manage certificates in Kubernetes as you would publicly-trusted certificates (e.g. Let’s Encrypt).

Google CAS External Issuer

Getting started

Follow the open source project documentation to set-up the prequisites, build and install the controller and configure the CAS Issuer.

kubectl get googlecasclusterissuers

NAME                            AGE
googlecasclusterissuer-sample   10s

You can now create certificates as normal, but you just need to ensure the IssuerRef is set to the Google CAS Issuer.

cat <<EOF | kubectl apply -f -
kind: Certificate
  name: demo-certificate
  namespace: default
  # The secret name to store the signed certificate
  secretName: demo-cert-tls
  # Common Name
  # Duration of the certificate
  duration: 24h
  # Renew 8 hours before the certificate expiration
  renewBefore: 8h
  # Important: Ensure the issuerRef is set to the issuer or cluster issuer configured earlier
    kind: GoogleCASClusterIssuer
    name: googlecasclusterissuer-sample

In short time, the certificate will be requested and made available to the cluster.

kubectl get certificates,secret
NAME                                          READY   SECRET         AGE   True    demo-cert-tls  1m

NAME                                     TYPE                                  DATA   AGE
secret/demo-cert-tls                                3      1m

The certificate in this example had a duration of 24h, and cert-manager will automatically renew it 8h prior to expiry. You could also manually renew it with the kubectl plugin.

Project and service availability

You can give this a try today! The Google Cloud Authority Service is in public beta and the CAS Issuer for cert-manager, developed and maintained by Jetstack, is available and open source now.

If you would prefer an easier setup then keep an eye out for a supported offering in the Google Cloud Marketplace. We will share an announcement when it is available with all the details you will need to get started.

Get started with Jetstack

Enquire about Subscription

Contact us