Jetstack, a unit of Venafi, launched a platform dubbed Jetstack Secure through which IT teams can automate the management of certificates in Kubernetes environments.
Matt Bates, Jetstack CTO, says that as more microservices-based applications are deployed across a distributed computing environment, a more automated approach is needed for managing both public trusted certificates for ingress based on the Transport Layer Security (TLS) protocol and private certificates for intra-service mTLS using a service mesh.
Jetstack Secure, which is accessed as a service, is based on open source cert-manager software for Kubernetes that Jetstack donated to the Cloud Native Computing Foundation (CNCF). Currently a sandbox-level project, the ultimate goal is to further integration between the tool, which manages X.509 machine identities for Kubernetes, with other security and IT management projects being advanced by the CNCF, including the Open Policy Agent (OPA) project or the service mesh interface (SMI) initiative.
The platform is accessed via a web interface through which IT teams can track certificates, including any that have been manually created by developers. It also identifies operational issues based on cert-manager status and health, as well as X.509 certificate misconfigurations.
Bates says IT organizations need a platform through which all the machines that make up a Kubernetes environment can be easily identified and certified. In addition, that platform needs to make it simple to renew certificates with a certificate authority (CA). This will help ensure there is no unexpected disruption – for example, two machines denied permission to communicate with each other – due to an expired certificate.
The speed at which certificates can be issued is also a critical issue as the rate of application deployment increases. DevOps teams, for example, often require requested certificates to be available in seconds. As the number of microservices-based applications expands, so does the number of certificates required. Making it simpler for IT teams to automatically request certificates ultimately reduces friction across a DevOps workflow.
The lack of a certificate can also have a significant impact on web applications that continue to run. Web applications that don’t have certificates are penalized in search rankings because the underlying site is assumed to be insecure. In some cases, IT teams that rely on manual processes to issue certificates may not even be aware of the issue until traffic to that application steadily declines over weeks and months for what appears to be an inexplicable reason.
Certificate management, of course, is not always top of mind in IT operations. However, just about every IT professional has encountered at least one instance where an expired certificate has led to a disruption in service. While it doesn’t usually take long to restore service, certificates that are allowed to expire tend to erode end user confidence in an IT team. The issue now is that, as the number of certificates that need to be issued and updated increases, the opportunity for mistakes to be made also increases.