Skip to main content
banner image
venafi logo

Understanding the Basics of cert-manager

Understanding the Basics of cert-manager

March 24, 2022 | Richard Collins, Jetstack

Managing and automating machine identities for cloud native environments with cert-manger is popular. Hugely popular. Over 500 million downloads a year! Let’s talk a bit about what it does and why it’s so widely used.

At the turn of the year, in its End User Technology Radar (a guide for evaluating cloud native technologies, on behalf of the CNCF End User Community) cert-manager was highlighted as being the go-to platform for secrets management amongst Kubernetes users. A massive coup given its relative infancy.

And whilst our cert-manager team were obviously thrilled to learn that our open-source project had become so widely deployed, what was perhaps even more encouraging was that certificate management was so high on the agenda for many that had turned to Kubernetes’ orchestration capabilities.

But for those new to the world of certificate management—what even is cert-manager? And why is it downloaded by Kubernetes users more than 500 millions times a year?

Watch a webinar on certificate misconfiguration: the #1 security threat for Kubernetes

To put what cert-manager does into context, you’ll first need to be familiar with Public Key Infrastructure (PKI)—the unsung hero of cybersecurity. But don’t worry, if you’re yet to come across the term this article will bring you up to speed. However, for those that are already up close and personal with the world of cryptography and certificate authorities (CAs), let’s crack on.

What is cert-manager?

Cert-manager is an open source project—originally created by Jetstack—that manages X.509 certificates specifically for cloud native Kubernetes or OpenShift environments. And as noted in a CNCF blog published earlier in the year, this functionality has become somewhat synonymous with machine identity management for those operating cloud native environments.

Using TLS encryption to secure connections between users’ browsers and web applications across the Internet, X.509 certificates have become somewhat standard practice for public Certificate Authorities (CAs) like Let’s Encrypt. Deployed as part of a PKI, this is a method of encryption that developers turn to ensure web applications are protected when running in a cloud environment with Ingress (not sure what an Ingress is? Check out this article).

In an alternative universe without cert-manager, manually finding and configuring TLS certificates is an onerous task. Fortunately, back in the real world, we can use cert-manager to automate this process due to its integration with popular certificate issuers (both public and private). Meaning you can issue or renew certificates without lifting a finger.

The popularity of cert-manager comes from the fact that it solves a genuine problem for developers who want to use a solution that automates a development task that frees them to focus on building better and faster. As such, development team productivity increases, security is better managed, and web applications perform better.

Its tremendous rise in popularity across the cloud native ecosystem motivated Jetstack to donate cert-manager to CNCF in November last year. Commenting on the switch, Jetstack’s CTO, Matthew Bates, was quoted as saying:

“Cert-manager is widely used; it has a large user base and following, and projects across the ecosystem integrate with it. Jetstack, with the support of our parent company Venafi, believes such a foundational component belongs in the CNCF, with its vendor-neutrality, alongside many of the projects that rely on it and would benefit from a close collaboration. Being part of the CNCF will enable the project to attract a diverse contributor base and help to promote partnership and cooperation with many ecosystem projects, including those in the CNCF.”

What are other use cases for cert-manager?

Ingress protection is essential for the safe, secure management of workloads in Kubernetes—and this core use case has been instrumental towards cert-manager’s rise in popularity. However, it’s not the only way that developers can use the tool to automate workloads.

There are two other use cases worth exploring.

mTLS protection

The first use case is for enforcing protection through mTLS (Learn about mTLS).

In production environments, developers often build internal workloads that are not exposed to Ingress—and therefore need to be protected through other means. Enter mTLS (between pods). This type of deployment protects workloads against attacks from within. Larger companies with established CISO departments see the use of mTLS as essential to reinforce protection and underpin zero trust networking principles.

Managing workloads in a service mesh

Related to mTLS, the growing popularity of service mesh (Learn about service meshes) tooling is the second use case for cert-manager. 

Indeed, the tool is similarly relevant as a native integration point for different service meshes such as Istio or Linkerd. The cert-manager control plane can be used to control data flows that require automated protection. That’s something for which cert-manager is best placed to provide in cloud native environments.

Standardise your approach to certificate management

Whilst cloud-native deployments continue to grow in popularity—both for new and existing applications—many enterprises, stung by previous experiences, have used this as an opportunity to avoid vendor lock-in and deploy a multi-cloud approach.

Fortunately, as a cloud agnostic, open-source solution, cert-manager can be deployed without worry. No matter your underlying technology stack, cert-manager can be used to help you to standardise your approach to certificate management.

Related posts

Like this blog? We think you will love this.
Featured Blog

Traditional Security Won’t Cut It for Secure Cloud-Native Applications: Here’s Why

The risks of securing cloud-native with traditional security measu

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Richard Collins, Jetstack
Richard Collins, Jetstack
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more