Integrating cert-manager with Google Cloud Certificate Authority Service

cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide ‘certificates as a service’ to developers working within your Kubernetes cluster. cert-manager is very popular with tens of thousands of users.

cert-manager can be used for many different use cases within your clusters, including mutual TLS (mTLS) between workloads, and for securing traffic from end users with ingress. cert-manager provides integrations with many different ways of obtaining those certificates, including Let’s Encrypt, Venafi Trust Protection Platform, and a Certificate Authority issuer that allows for signing with a CA certificate obtained from any source.

CAS Issuer for cert-manager

Today we are announcing that we are adding another integration option: Google Cloud’s new Certificate Authority Service.

The Google Cloud Certificate Authority Service (CAS) provides:

  • Private CAs “as a service” for internal workloads (as opposed to something like Let’s Encrypt where the certificates will be public)
  • Automation and auditing
  • Secure storage of the CA key, as Google CAS leverages HSMs that are FIPS 140-2 Level 3 validated

Read more about the full set of features in the product documentation.

How it works

Working closely with Google, we developed an external Issuer for cert-manager, in order to automate the lifecycle of certificates with a CAS-managed CA. The CAS Issuer is a separate controller to cert-manager and runs its own pod, enabling you to use the same interfaces to create and manage certificates in Kubernetes as you would publicly-trusted certificates (e.g. Let’s Encrypt).

Google CAS External Issuer

Google CAS External Issuer

Getting started

Follow the open source project documentation to set-up the prequisites, build and install the controller and configure the CAS Issuer.

kubectl get googlecasclusterissuers

NAME                            AGE
googlecasclusterissuer-sample   10s

You can now create certificates as normal, but you just need to ensure the IssuerRef is set to the Google CAS Issuer.

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: demo-certificate
  namespace: default
spec:
  # The secret name to store the signed certificate
  secretName: demo-cert-tls
  # Common Name
  commonName: cert-manager.io.demo
  # DNS SAN
  dnsNames:
    - cert-manager.io
    - jetstack.io
  # Duration of the certificate
  duration: 24h
  # Renew 8 hours before the certificate expiration
  renewBefore: 8h
  # Important: Ensure the issuerRef is set to the issuer or cluster issuer configured earlier
  issuerRef:
    group: cas-issuer.jetstack.io
    kind: GoogleCASClusterIssuer
    name: googlecasclusterissuer-sample
EOF

In short time, the certificate will be requested and made available to the cluster.

kubectl get certificates,secret
NAME                                          READY   SECRET         AGE
certificate.cert-manager.io/bar-certificate   True    demo-cert-tls  1m

NAME                                     TYPE                                  DATA   AGE
secret/demo-cert-tls                     kubernetes.io/tls                     3      1m

The certificate in this example had a duration of 24h, and cert-manager will automatically renew it 8h prior to expiry. You could also manually renew it with the kubectl plugin.

Project and service availability

You can give this a try today! The Google Cloud Authority Service is in public beta and the CAS Issuer for cert-manager, developed and maintained by Jetstack, is available and open source now.

If you would prefer an easier setup then keep an eye out for a supported offering in the Google Cloud Marketplace. We will share an announcement when it is available with all the details you will need to get started.