cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide ‘certificates as a service’ to developers working within your Kubernetes cluster. cert-manager is very popular with tens of thousands of users.
cert-manager can be used for many different use cases within your clusters, including mutual TLS (mTLS) between workloads, and for securing traffic from end users with ingress. cert-manager provides integrations with many different ways of obtaining those certificates, including Let’s Encrypt, Venafi Trust Protection Platform, and a Certificate Authority issuer that allows for signing with a CA certificate obtained from any source.
CAS Issuer for cert-manager
Today we are announcing that we are adding another integration option: Google Cloud’s new Certificate Authority Service.
The Google Cloud Certificate Authority Service (CAS) provides:
- Private CAs “as a service” for internal workloads (as opposed to something like Let’s Encrypt where the certificates will be public)
- Automation and auditing
- Secure storage of the CA key, as Google CAS leverages HSMs that are FIPS 140-2 Level 3 validated
Read more about the full set of features in the product documentation.
How it works
Working closely with Google, we developed an external Issuer for cert-manager, in order to automate the lifecycle of certificates with a CAS-managed CA. The CAS Issuer is a separate controller to cert-manager and runs its own pod, enabling you to use the same interfaces to create and manage certificates in Kubernetes as you would publicly-trusted certificates (e.g. Let’s Encrypt).
Getting started
Follow the open source project documentation to set-up the prequisites, build and install the controller and configure the CAS Issuer.
kubectl get googlecasclusterissuers
NAME AGE
googlecasclusterissuer-sample 10s
You can now create certificates as normal, but you just need to ensure the IssuerRef is set to the Google CAS Issuer.
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: demo-certificate
namespace: default
spec:
# The secret name to store the signed certificate
secretName: demo-cert-tls
# Common Name
commonName: cert-manager.io.demo
# DNS SAN
dnsNames:
- cert-manager.io
- jetstack.io
# Duration of the certificate
duration: 24h
# Renew 8 hours before the certificate expiration
renewBefore: 8h
# Important: Ensure the issuerRef is set to the issuer or cluster issuer configured earlier
issuerRef:
group: cas-issuer.jetstack.io
kind: GoogleCASClusterIssuer
name: googlecasclusterissuer-sample
EOF
In short time, the certificate will be requested and made available to the cluster.
kubectl get certificates,secret
NAME READY SECRET AGE
certificate.cert-manager.io/bar-certificate True demo-cert-tls 1m
NAME TYPE DATA AGE
secret/demo-cert-tls kubernetes.io/tls 3 1m
The certificate in this example had a duration of 24h, and cert-manager will automatically renew it 8h prior to expiry. You could also manually renew it with the kubectl plugin.
Project and service availability
You can give this a try today! The Google Cloud Authority Service is in public beta and the CAS Issuer for cert-manager, developed and maintained by Jetstack, is available and open source now.
If you would prefer an easier setup then keep an eye out for a supported offering in the Google Cloud Marketplace. We will share an announcement when it is available with all the details you will need to get started.