Pulumi Policy-as-Code for Cert-Manager Simplifies Machine Identity Management

A lot of current Infrastructure-as-Code tools require DevOps practitioners, system administrators, and other people to adopt domain-specific languages. As cloud infrastructure configurations become more sophisticated, domain-specific languages struggle to provide expressiveness and convenient abstractions—resulting in large, unwieldy configurations that are hard to maintain. Along the way, there are many things that can go wrong due to overly-complex, infrastructure code. That’s where Pulumi and Policy-as-Code can simplify infrastructure definition and deployments and help your team avoid costly mistakes.

Pulumi is an Infrastructure-as-Code platform that enables your team to define, deploy and manage any cloud using your favorite programming languages. This means your team can take advantage of all the great tools and frameworks available in the JavaScript, TypeScript, Python, Golang, and .NET ecosystems to deliver “infrastructure as software”. You can create abstractions to simplify complex configurations and use modern testing techniques to validate your cloud configurations before, during and after deployment.

CrossGuard, a new Policy-as-Code offering from Pulumi, empowers you to set guardrails to enforce compliance for cloud resources so your developers can provision their own infrastructure while sticking to best practices and enforcing security compliance. Using Policy-as-Code, you can write flexible business rules and security policies. Using familiar programming languages to examine request metadata provides the ability to build policy rules that fit your unique business requirements, and when these policies are enforced as part of a Pulumi deployment, any violation can gate or block a non-compliant update from proceeding. Since Pulumi uses modern programming languages, codifying and testing each policy is easy and the logic is transparent to your application teams. Operators can choose which policy checks prevent deployments and which policies are merely advisory in nature—warning the end-user of potential enforcement in the future.

But how does Policy-as-Code impact machine identities? Pulumi has built a reference implementation for Jetstack cert-manager with CrossGuard to streamline the installation of cert-manager and generate certificates on Kubernetes. Organizations can define the use of cert-manager ahead of time to make it easy to get consistent certificate use across deployments. And they can define policy in languages they’re already familiar with, like TypeScript, JavaScript, Python and OPA. Easy!
 

Pulumi’s customers include lots of organizations where front-end developers also need to define cloud infrastructure. Everyone working in a cloud engineering role encounters challenges maintaining machine identities and the team worked closely with Jetstack to simplify the process for teams using Kubernetes and cert-manager. The goal is to help application developers to follow InfoSec best practices and to make sure that when they ship applications, they're using machine identities in the right way.
 

If you're building a platform for your developers to be able to very quickly ship applications, integrating cert-manager will help expedite your deployments. The integration allows anybody who's using the platform to easily get a secure certificate without having to write lots of lines of code. The experience that we intend to provide is this: with just a couple of lines of code, developers can easily secure their applications and make sure that best practices are followed. Before cert-manager came along and especially before the integration with Venafi, life was different—managing machine identities in cloud-native applications could be a challenge.
 

That process of properly applying a certificate would usually involve either learning a different kind of tool like HashiCorp Terraform or CloudFormation or learning how the certificate process works internally within your company. This process often involved getting a CSR and then submitting it to your information security team, and then waiting for him or her to send it back. Then you have to figure out how to store it safely. With the old process, there were a lot of manual steps between the application being ‘ready’ and successful deployment to production. With this new implementation, developers now simply add three or four lines of TypeScript directly into their application, or directly into the way they provision the application. To put it simply, the integration removes that incredible complexity by breaking it down into just a couple of lines of code! 
 

Managing machine identities securely has been very difficult, and a lot of organizations just skip it or do it badly. We’ve seen it in the news with the recent SolarWinds code signing vulnerability. The importance of securely managing certificates has never been higher. 
 

We are very excited to bring this reference implementation for Pulumi CrossGuard with cert-manager to market. We are targeting completion in Q1 2021. You can watch for more information on our website http://www.pulumi.com and on Venafi’s Marketplace.

This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.

Related Posts

• Starting 2020 With Strong New Group of Developers
• Machine Identity Protection Development Fund Exceeds Expectations
• 3 Ways the Machine Identity Protection Development Fund is Helping to Protect Your Business 

Learn more about machine identity management.