Skip to main content
banner image
venafi logo

Google CAS Supports cert-manager and Jetstack Secure for Cloud Native and Private PKI

Google CAS Supports cert-manager and Jetstack Secure for Cloud Native and Private PKI

July 13, 2021 | Richard Collins, Jetstack
Private PKI and Cloud Native

Enterprise platform teams running cloud native infrastructure with Kubernetes are increasingly looking to private PKI automation to distribute certificates for secure inter-workload communications at scale. For example, with service mesh such as Istio, workloads can be mutually authenticated using short-lived X.509 TLS certificates.

In addition, multi-cloud infrastructure continues to be one of the key areas of growth as companies look to build with a combination of cloud providers. Having immediate access to a range of certificate issuers allows these companies to provide different PKI capabilities to different internal teams or environments. This allows development teams to easily use a combination of both private and public PKI when this is needed.

On July 8, Google Cloud announced general availability (GA) of its Certificate Authority Service (CAS) which provides private CAs “as a service” for internal workloads. This approach is different than a CA like Let’s Encrypt where the certificates are public. Google CAS also includes automation, auditing and secure storage of CA keys, as Google Cloud CAS leverages HSMs that are FIPS 140-2 Level 3 validated.

Automating certificate lifecycles in Google CAS

Through an integration announced last November, cert-manager has Google CAS support for Google CAS and provides full lifecycle automation of certificates with a CAS-managed CAs. Essentially, The CAS Issuer works using a separate controller to cert-manager and runs its own pod, enabling developers to use the same Kubernetes-native interfaces to create and manage certificates in Kubernetes as they would use for publicly trusted certificates. 

With cert-manager’s range of issuers and support for Istio service mesh, Google Cloud customers now have the additional option to integrate Google’s own private PKI service in CAS to work with the already highly popular cert-manager open source solution. 

Having Google Cloud CAS act as a cert-manager issuer gives platform teams even more confidence to standardize on cert-manager fully throughout the infrastructure for all X.509 certificates—public and private. This is particularly relevant when deploying workloads across multi-cloud environments, since cert-manager is CA-agnostic and is ideal to easily secure workloads across new environments, irrespective of the underlying service provider infrastructure.

Ready for Jetstack Secure

Google Cloud CAS and cert-manager integration is available today with Jetstack Secure. Jetstack Secure provides a control plane with configuration controls and visibility across a fleet of clusters, providing platform and security teams detailed views of the operational and security posture. For instance, Jetstack Secure will provide extra visibility of each X.509 certificate, in relation to its configuration and status, and surface errors and warnings, including the health of each instance of cert-manager and the CAS issuer. This is all based around an intuitive web-based management interface, with the option to direct alerts to Slack. Jetstack Secure will prevent misuse of badly configured certificates, provides consistency at scale to manage increasing volumes and a variety of certificate requests, and hardens the enterprise security posture by supporting the platform team's need to implement best practices.

One-click install and upgrade at Google Cloud Marketplace

Google Cloud customers can now deploy a fully integrated package, including cert-manager and the Google Cloud CAS issuer, direct from the Google Cloud Marketplace. Jetstack Secure for cert-manager includes access to the Jetstack Secure service, and provides full visibility of all CAS certificates, including status and details, across multiple clusters. 

Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is Encryption Key Management?

Why Is Key Manag

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Richard Collins, Jetstack
Richard Collins, Jetstack
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more