Cloud native certificate management with cert-manager

Think about a situation where you want to secure traffic between your applications. You can use SSL certificates to establish secure connections between applications. However, creating the relevant certificates manually and then maintaining them, keeping track of their expiration dates and rotating them on time can be a hassle. As the number of certificates grows, managing them becomes increasingly tedious. This is where Cert-manager comes in to save the day. In this blog post, we will learn how to utilize cert-manager.

Cert Manager:

Cert-manager is a tool that simplifies the process of creating and rotating certificates for your applications, so you don’t have to manually manage any of the certificates yourself. It also supports a variety of certificate issuers.

Cert-manager

Installation:

We will follow the installation process for cert-manager in Openshift clusters, but the installation process in other cluster types (Kubernetes, Rancher) should also be similar. There are many different ways to install cert-manager, which are described here. Cert-manager also has an operator for easier setup and lifecycle management. For the sake of this post, we will use a self-signed issuer to issue certificates in our cluster. You can read more about Openshift operators here and here.

For the sake of installation and testing, I used a CRC based Openshift cluster with the following version.

Cert Manager:

Cert-manager is a tool that simplifies the process of creating and rotating certificates for your applications, so you don’t have to manually manage any of the certificates yourself. It also supports a variety of certificate issuers.

Installation:

We will follow the installation process for cert-manager in Openshift clusters, but the installation process in other cluster types (Kubernetes, Rancher) should also be similar. There are many different ways to install cert-manager, which are described here. Cert-manager also has an operator for easier setup and lifecycle management. For the sake of this post, we will use a self-signed issuer to issue certificates in our cluster. You can read more about Openshift operators here and here.

For the sake of installation and testing, I used a CRC based Openshift cluster with the following version.

CRC version: 2.12.0+ea98bb41
OpenShift version: 4.11.18
Podman version: 4.2.0

To install the operator, we can use the OperatorHub:

OperatorHub

Once it is successfully installed, we can check that the pods are running in the openshift-operators namespace:

Once the operator is installed, we have to set up a cluster issuer. For the sake of this demo, we are going with a self-signed issuer, but self-signed issuers are not advisable in a production environment.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
  namespace: openshift-operators
spec:
  selfSigned: {}

Now we are ready to start issuing certificates.

Usage:

To issue certificates for our application, we need to use the Certificate custom resource. We can define our certificate resource and apply it with oc apply -f certificate.yaml. It's important to note that the actual certificate public and private keys will be created in a secret called my-app-tls.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  labels:
    app: my-app
    heritage: Helm
    provider: sytac
    release: test
  name: my-app-certificate
  namespace: default
spec:
  commonName: my-aapp
  dnsNames:
    - my-app
  duration: 8760h0m0s
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: selfsigned-issuer
  renewBefore: 720h0m0s
  secretName: my-app-tls
  subject:
    countries:
      - NL
    localities:
      - Amsterdam
    organizations:
      - Sytac
    provinces:
      - Amsterdam
  usages:
    - digital signature
    - client auth

Once we apply this YAML manifest, we can go to secrets in the default namespace and verify that the secret has been created:

We can copy the tls.crt and analyze it to see that our certificate has been created successfully:

Conclusion

Creating, managing, and rotating certificates can be complex tasks. This is especially true when the number of certificates starts to increase, which is likely in any modern, security-conscious environment. Cert-manager provides us with the ability to automate these processes, which can be a big win for most IT teams. And the best part is, when a certificate expires, cert-manager will automatically renew it with a new certificate, so we don’t have to manually update our applications.

Faizan Ahmad / Sytac BV / Software and DevOps Engineer