CNCF Graduates Cert-Manager to Help Streamline Certificate Workflows
The cert-manager project has officially been graduated by the Cloud Native Computing Foundation (CNCF) at a time when managing certificates has become more challenging than ever.
Google and Apple are both moving to reduce the amount of time each certificate needs to be renewed down to 90 and 45 days, respectively. Unfortunately, many organizations still lack a formal process for managing the issuance of certificates, which when lapse will result in websites and applications suddenly becoming unavailable.
The open-source cert-manager software being advanced under the auspices of the CNCF automates Transport Layer Security (TLS) and Mutual Transport Layer Security (mTLS) certificate issuance and renewal in Kubernetes environments. Rather than having to rely on manual renewal processes, cert-manager is designed to automate the management of any X.509 certificate. That’s especially critical when using TLS certificates that typically need to be renewed more often.
Created by Jetstack, which is now a part of Venafi, an arm of CyberArk, the cert-manager project now has more than 450 contributors to the project and is now being downloaded more than 500 million times a month. The CNCF estimates that 86% of new production clusters are now relying on instances of cert-manager to manage the issuance and renewal of TLS and mTLS certificates.
To officially graduate from incubating status, the project passed a security audit, and over the course of the last two years revamped its governance documentation, worked with TAG Security and TAG Contributor Strategy to review security and community posture, and migrated testing and release processes to infrastructure owned by the CNCF and integrated cert-manager with the Secure Production Identity Framework for Everyone (SPIFE) framework.
The project’s roadmap includes forthcoming support for ACME Renewal Information (ARI), which will provide a cleaner method for renewing certificates using the ACME protocol, as well as an effort to shrink cert-manager’s core components to reduce the overall attack surface by further minimizing binary and container sizes, in a way that reduces the complexity associated with maintaining best practices for public key infrastructure (PKI) management.
Ashley Davis, cert-manager maintainer and staff software engineer for Venafi, said the overall goal is to ensure the security enabled by the certificate is maintained in a way that doesn’t slow down the rate at which application developers can provision infrastructure. That’s crucial for organizations that are increasingly enforcing zero-trust IT principles that application developers must comply with before deploying software, he added.
In addition, certificates also play a critical role in helping to reduce application secrets sprawl, noted Davis.
It’s not clear how many organizations are using cert-manager but as the number of microservices deployed continues to increase the chances there will be an outage caused by an expired certificate only increases. The challenge, as always, is to find a way to effectively manage all the certificates required in Kubernetes environments to ensure that each and every microservice remains optimally available, versus unnecessarily having to reroute traffic in a way that ultimately degrades application performance.