The Cloud Native Computing Foundation (CNCF), which builds sustainable ecosystems for cloud native software, today announced the graduation of cert-manager.
cert-manager helps cloud native developers automate Transport Layer Security (TLS) and Mutual Transport Layer Security (mTLS) certificate issuance and renewal. It ensures secure communication within distributed systems by automating and simplifying the issuance, renewal, and lifecycle management of X.509 certificates in Kubernetes platforms. This eliminates the manual process of generating and managing certificates and helps ensure systems remain secure without constant manual intervention.
"By making it easier for developers to obtain, manage, and automate security certificates, cert-manager helps ensure applications remain secure throughout their lifecycles, making the ecosystem more secure as a whole," said Chris Aniszczyk, CTO of CNCF. "We're thrilled to see the project reach this milestone and look forward to it continuing to improve the cloud native security space."
cert-manager was created in 2017 at Jetstack, which is now a part of Venafi, a CyberArk company. It was accepted into the CNCF Sandbox in November 2020, and, over the past four years, has continued to grow, bringing in new maintainers, expanding its user base, and adding key features in response to community needs. It has built a network of more than 450 contributors and issued more than 200 releases. It moved to the Incubating maturity level in 2022 and today plays a vital role in the CNCF ecosystem by integrating with other projects like Kubernetes, SPIFFE, Istio, Prometheus, and Envoy to strengthen cloud native infrastructure security across diverse environments.
"cert-manager is an essential component in our Cluster API-based Kubernetes platform," said Spyros Synodinos, Giantswarm. "It has streamlined our SSL/TLS certificate management, enhancing security while reducing operational overhead. As long-time users, we're thrilled to see cert-manager graduate, confirming its critical role in the modern cloud native environment."
The project is now seeing 500 million downloads per month, and user research suggests 86 percent of new production clusters are created with cert-manager deployed as standard practice to manage the issuance and renewal of TLS and mTLS certificates. It has subprojects to help with a variety of tasks, including secretless issuance, trust store management, and certificate policy enforcement. It has also extended support for external issuers such as AWS Private CA, Google CAS, and HashiCorp Vault while integrating with service meshes to enhance security across cloud native environments.
"The graduation of cert-manager marks a significant leap toward becoming the de facto project for certificate management," said Trilok Geer, Red Hat. "It reflects the dedication of its contributors and the trust placed in it by organizations to automate certificate processes, securing their cloud native solutions."
The project's roadmap includes support for ACME Renewal Information (ARI), which will provide a cleaner method for renewing certificates using the ACME protocol, as well as an aim to shrink cert-manager's core components, minimizing the surface area of cert-manager to reduce the attack surface, binary size, container size and complexity, and enabling best practice PKI management.
"cert-manager's graduation is the cherry on top of a fantastic year," said Ashley Davis, cert-manager maintainer and staff software engineer at Venafi, a CyberArk company. "I'm so proud that in August, we onboarded our first full maintainer, who came entirely from the community we've built. I'm excited for the future of TLS in a world where quantum computers threaten the cryptography underpinning most security on the modern web. cert-manager has an important role to play in helping to solve quantum-resistant TLS in Kubernetes, and we relish the challenge."
"I never would have thought that a project which started as an interview exercise would achieve graduated status in CNCF and be held alongside projects like Kubernetes, Istio, and etcd," said Matt Barker, co-founder & former CEO of Jetstack and VP & global head of workload identity architecture at Venafi, a CyberArk company. "This milestone is a true testament to the commitment of our engineering team and our community. I'm incredibly proud of everyone involved."
"It's incredible to see the cert-manager community grow to where it is today, and its broad adoption across the cloud native ecosystem," said James Munnelly, cert-manager project maintainer. "The cert-manager project is rooted in the community with one common goal, making TLS certificate management in Kubernetes seamless. Its graduation is a very proud moment for myself and the many others who have been integral to the project's success. A huge thank you to all that have been involved!"
"CNCF empowers cert-manager by providing a solid framework for governance, legal support, and infrastructure sponsorship," said Tim Ramlot, cert-manager maintainer and senior software engineer at Venafi, a CyberArk company. "Furthermore, CNCF's commitment to supplier neutrality greatly strengthens the dependability of cert-manager."
To officially graduate from incubating status, the project completed a CNCF-sponsored security audit, revamped its governance documentation creating a path for contributors to become full maintainers, worked with TAG Security and TAG Contributor Strategy to review security and community posture, and migrated testing and release processes to CNCF-owned infrastructure.
To learn more about cert-manager, visit the cert-manager kiosk (#10A) in the Project Pavilion at KubeCon + CloudNativeCon North America 2024.