Guest post by Richard Collins, Product Marketing Manager, Jetstack
Last week’s quarterly CNCF End User Technology Radar, which surveyed the preferred tools for cloud native secrets management, provided a clear indication on how enterprise end users are adopting security tools related to secrets management. In particular, the report highlighted the emergence of cert-manager – a CNCF Sandbox project – as one of the most highly adopted. This pointed to some interesting behaviours in the way enterprises are no longer solely relying on Cloud Service Providers to automatically manage certain cloud security elements and among the findings, certificate management was called out as being particularly relevant. Certificate management in general is “top of mind” for many enterprises, hence the importance of cert-manager as a proven and well-established solution to easily automate TLS certificates was a strong highlight.
cert-manager is a highly popular open source project, first created by Jetstack and now part of the CNCF Sandbox, which has grown to become the de facto solution for managing X.509 certificates in Kubernetes. Secrets management is of course inherently needed for storing public and private keys for TLS certificates. cert-manager uses the native Kubernetes secrets resource and is more generally used for automating machine identity management for workloads.
The survey showed that certificate management is increasingly important for Kubernetes end users and there is great interest in cloud agnostic solutions. This finding in particular is signalling a shift in the way enterprises choose to consume cloud security services. In parallel, it is interesting to note the rise in multi-cloud patterns and solutions being adopted by enterprises which can explain why cloud-agnostic tools like cert-manager are becoming popular. This adoption is driven by increased usage of Kubernetes in enterprises with large estates of legacy applications and a need to support hybrid and multi-cloud infrastructure. Given this interest in multi-cloud, it is inevitable that usage of service meshes will also increase and cert-manager, with its support for Istio and Open Service Mesh, with more to come, is perfectly placed to provide a cloud agnostic, cross-cluster certificate management solution.
cert-manager adoption is centred on X.509 certificates being used to automate machine identity management for Kubernetes workloads. It builds in native support for certificates and certificate authorities, integrating with a range of popular public and private providers. Platform and operations teams can rely on cert-manager to automatically issue and renew certificates. This capability is primarily used to secure ingress resources, with public CAs such as Let’s Encrypt, but there is now increasing interest to use cert-manager to secure workload identities with mesh and mesh-like systems. All this delivers a level of certainty and security for development and platform teams. cert-manager’s growth is down to its demonstrable appeal as a consistent, reliable and agnostic solution for machine identity automation.
Enterprises are increasingly comfortable with solutions which can be properly evaluated and are backed up with a strong community of contributors and users from across the ecosystem. The cert-manager community has grown to over 275 contributors since its first commit back in 2017, including a team at Jetstack who support the development full-time, together with individual maintainers and CNCF end users.
Ingress protection is of course vital, but in parallel enterprises see cert-manager as a compelling choice to easily automate certificate management to secure intra-pod traffic and control workload security and access for internal traffic; easily integrating enterprise CAs to issue private certificates; control workloads to operate across different cloud providers; operating Istio service mesh so that control plane communication across the mesh is automated using mTLS.
Enterprises that are committing more resources to scale their Kubernetes infrastructure across multiple cloud providers evidently are not looking solely to the Cloud Service Providers to support their need for certificate management. The survey suggests cert-manager is firmly established as the solution of choice to meet many large enterprises’ need for Kubernetes certificate management – this is great to see for a CNCF sponsored project. The general factor which explains the increased adoption of cert-manager is it aligns with enterprises’ plans for expanding infrastructure. cert-manager has shown it is a great fit for the many use cases in which automated certificates are needed. As enterprises transform their infrastructure with Kubernetes and build out a multi-cloud strategy, we’re delighted that a cloud native, CNCF-backed project, is meeting their needs.