Certificate lifecycle management is a critical requirement for Kubernetes clusters and workloads. Automating the self-service creation and renewal of certificates is necessary to enable secure self-service for developers deploying applications on Kubernetes clusters. Cert-manager from Jetstack is a popular open-source tool that automates issuing certificates on-demand using Kubernetes APIs, as well as renewing the certificates before they expire. Cert-manager comes with support for commonly-used certificate issuers and can be extended to support others as needed. Cert-manager allows you to restrict who can use each issuer, allowing you to apply policy within your organization.
The Nirmata DevSecOps Platform enables secure self-service for developers. It allows various critical add-ons such as Kyverno for Kubernetes policy management, Datadog agent for monitoring, etc. Now, cert-manager support has been added as well. This post describes how the cert-manager can be used in NDP to automate certificate management.
Deploying cert-manager as an add-on
Cert-manager is now available in the default-addon-catalog. The catalog application for cert-manager uses the public GitHub repository for cert-manager add-on.
Since cert-manager is already in the catalog, it is now available to be deployed as an add-on to any cluster. Cert-manager can be selected when creating a cluster type so cert-manager is deployed to any cluster created with that cluster type.
Automatic upgrades for cert-manager
Any catalog application that is deployed using a Git repository is automatically upgraded whenever a new commit is made to the git repository or if a new branch is selected in the Git settings for the application. This process can be used to upgrade cert-managers deployed on multiple clusters at the same time.
Creating Kubernetes cluster issuers
Once cert-manager is deployed to a cluster, you can easily create cluster issuers. The following cluster issuers can be created:
You can follow the instructions to create any type of cluster issuer. Some cluster issuers require a Secret prior to creating the cluster issuer. Secrets can be created directly from the Cluster Issuers panel using the Create Secret menu. This secret will be created in the cert-manager namespace.
Cert-manager also allows developers to create issuers instead of using the cluster issuer. While this is a powerful capability, the cluster administrator may want to restrict the creation of certificates to their own domain or create certificates with a single DNS name entry. This can be done using policies. Clusters that are deployed using the Nirmata Kubernetes platform always include the Kyverno policy engine. Sample policies for cert-manager can be found here.
Nirmata’s DevSecOps Platform now automates the lifecycle management for certificates in Kubernetes clusters by integrating with cert-manager. In addition to deploying and managing cert-manager, you can also create cluster issuers to automatically generate certificates and also deploy Kyverno policies to ensure that the generated certificates are compliant with the company requirements. You can explore Nirmata for free at: https://try.nirmata.io. For any outstanding questions or issues you’d like to discuss concerning Kubernetes management, please contact us here.