Jetstack and Venafi join forces to bring Machine Identity Protection to the cloud native stack

At Jetstack, we’re today announcing that we have signed an agreement to join Venafi, the global leader in Machine Identity Protection. This is an incredible milestone for the team and we’re thrilled to share the news with our customers, partners and the community. In this post, I wanted to take the opportunity to talk through the partnership, how we’ve got to where we are, and importantly, the exciting path that lies ahead for us both.

Open source roots

Since co-founding in 2015, we’ve been huge advocates of Kubernetes and its power to transform modern IT. But back then it was far from certain it would ever take off and gain wider interest and adoption. In actual fact, in those early workshops and meetings, it was a difficult sell - and that often meant no sale! The project quickly evolved and the community grew rapidly and it became clearer with each release that this technology would be hugely disruptive.

Jetstack’s involvement in the ecosystem and contribution to open source started very early. As consumers of open source cloud native software, especially Kubernetes, it has always been important to us that we play an active role and contribute in the community. One of our very earliest projects, kube-lego, was started by Christian Simon, our first employee in his first month, following a weekend interview coding task that tackled a Kubernetes issue that piqued our interest. Little did we know that this would go on to become a hugely popular tool, help raise the profile of a fledgling UK startup, and plant the seed for cert-manager. It even saw the team being congratulated and presents being given at conferences!

Cert-manager success

It’s been quite remarkable to see the cert-manager project grow to where it is today. Pioneered by James Munnelly, and with the support of a growing team of engineers at Jetstack, it is today used by companies all across the world, and in all sorts of industries, including government departments, large financial institutions, car manufacturers, retail stores and more.

With a thriving developer community of over 200 contributors, cert-manager has really asserted itself as the go-to tool for using certificates in the Kubernetes space. The community has provided feedback through design discussion, user experience reports, code and documentation contributions as well as serving as a source for free community support. The community has been invaluable to the project’s success and we’re thankful for everyone’s contribution to get it where it is today.

Jetstack’s open source innovation

Jetstack’s open source involvement stretches beyond cert-manager too. With our day-to-day experience supporting customers that operate Kubernetes infrastructure at scale, across our field and customer reliability engineering teams, we’re able to contribute these learnings and innovate and experiment. Preflight, kube-oidc-proxy, terraform-google-gke-cluster, and many more before it, these are just a few of the projects that the team have engineered based on real-world challenges we’ve encountered with our customers in the field.

A partnership that’s grown over time

Jetstack and Venafi have been teamed up for some time, working closely together with customers and their requirements for enterprise-level machine identity with Kubernetes and OpenShift. Venafi found Jetstack cert-manager early in the project, almost two years ago, and we’ve been working together ever since with Venafi’s Development Fund sponsorship and support. We’ve collaborated on many new cert-manager features, including private key rotation, OpenShift support and more recently on experimental work to support the beta Kubernetes CSR API in 1.18.

Machine Identity Protection for cloud native - a combined vision

Machine identities are fundamental to secure systems. In cert-manager, we make it much easier for application developers to secure web applications in Kubernetes and OpenShift, automating the toil of X.509 certificate issuance and renewal from a certificate provider of choice. It’s one less complex infrastructure component to manage, and it’s been transformative to organisations that were previously used to the rigmarole of manual operations that often involved use of emails and spreadsheets! With this high level of automation, this also of course means improved security posture and reduced chance of outages.

Building on the power that is Kubernetes, cert-manager works consistently across clouds and environments. We see it used all over - from home clusters and public clouds, all the way through to edge locations, including in some cases retail stores! Developers can obtain identities, often quite transparently in a platform, and all the while, the certificates and their status and events can be introspected, audited, policy-enforced, via the Kubernetes API and tooling, by platform and security teams. The Jetstack team, with contributors across the community, have engineered out the complexity - whether it’s DNS challenges in CloudFlare or Route53, or using Vault and NGINX - and built in speed that powers some of the largest users of Kubernetes. You probably use a web or mobile application that’s powered by cert-manager every day.

The need for identity stretches much further - from the underlying nodes that host these containers in a cluster, to the web of control plane components that power Kubernetes, as well as workloads in a service mesh that need to securely interoperate. Istio, serverless and more are problem spaces the Jetstack team plan to tackle. Identity provides the foundation, in which systems of policy and authorisation, audit, threat detection and more, can be built upon. It’s this vision that we share with Venafi, one of many reasons we see this as an opportunity to work together in building the future of cloud native security.

Investing in the team, the community and ecosystem

Jetstack will continue to operate independently, backed by Venafi. We will now accelerate our plans and that means growing our field and product engineering teams, and contributing more to the open source community. More engineering and support to the cert-manager project itself, but also working with projects across the ecosystem on open source and open standards. We will look at open governance of our projects and attract a broad and diverse set of stakeholders and contributors.

A strange and unusual time

On a personal level, if I’m honest, this feels a strange time to be celebrating. We’re all sadly surrounded by the effects of Covid-19 on our communities and society, many of us locked down unable to see friends and family. As a team, we all wish we could be together in person to celebrate our success and meet up with our new wider team at Venafi. This time will come; in the meantime, I’ve no doubt that the team we’re so proud of, will continue to be adaptable and will be as hard working and passionate as ever operating in this new normal.

I am encouraged by the unprecedented level of medical research taking place, with collaboration across the globe, that will one day, I hope, let our societies safely reopen and recover. Some of our own customers are investigating the Coronavirus and providing online medical services to vulnerable members of our society and we’re there to support their digital endeavours in this response every step of the way.

The exciting opportunity ahead

This is an exciting opportunity and we can’t wait to take our partnership with Venafi to the next level - come and get involved in our community and work with us as we build machine identity protection for the cloud native age. A huge thank you to the team, the community, and to our many customers and partners.

Let’s go do this!