{"id":1375,"date":"2019-02-26T10:55:50","date_gmt":"2019-02-26T10:55:50","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw93\/?p=1375"},"modified":"2019-03-07T20:44:47","modified_gmt":"2019-03-07T20:44:47","slug":"cert-manager-reaches-v0-6-jetstack-blog","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw93\/index.php\/2019\/02\/26\/cert-manager-reaches-v0-6-jetstack-blog\/","title":{"rendered":"Cert-manager reaches v0.6 \/\/ Jetstack Blog"},"content":{"rendered":"<p>We\u2019re excited to announce v0.6 of <a href=\"https:\/\/github.com\/jetstack\/cert-manager\">cert-manager<\/a>, the general purpose x509 certificate management tool for Kubernetes. cert-manager provides automated issuance, renewal and management of certificates within your organisation.<\/p>\n<p>Certificate management in highly dynamic environments is no easy feat, and if approached without careful consideration<br \/>\ncould quickly lead to outages and service interuption when certificates begin expiring.<br \/>\nBy standardising on a single tool for managing your PKI assets, you can ensure that certificates are being<br \/>\nautomatically renewed, and that the appropriate teams are notified if there are any issues or policy violations within<br \/>\nyour cluster.<\/p>\n<p>Over the last year, we\u2019ve seen the project grow rapidly, approaching 3,000 stars on GitHub and with a community of<br \/>\nover 100 code contributors, and thousands of people providing support, discussion and insight.<\/p>\n<p>In this post, we\u2019re going to explore some of the new features of the v0.6 release, as well as discuss our plans for<br \/>\nthe project as it works towards a \u201c1.0\u201d release!<\/p>\n<p>In the past, due to the way that cert-manager was initially designed, we\u2019ve had problems controlling and managing<br \/>\ncert-manager\u2019s ACME client usage. This has in some cases lead to excessive use of ACME APIs, which can cause problems<br \/>\nfor public ACME providers such as Let\u2019s Encrypt.<\/p>\n<p>This release significantly refactors how we process and manage ACME certificates, and as a result we\u2019ve seen a net<br \/>\nreduction in API usage of up to 100x in some of the worst cases.<br \/>\nMaking this change was no small job, and has taken a few months to properly mature into what it is today.<\/p>\n<p>In order to achieve these improvements, we\u2019ve created \u2018Order\u2019 and \u2018Challenge\u2019 resource types within the Kubernetes API.<br \/>\nThis allows us to cache and reason about objects that would usually only exist within the ACME server, using our own<br \/>\nAPI. By doing it this way, it also allows more advanced users and integrators to understand and control the ACME Order<br \/>\nflow, as we present structured information about the process in the form of our CRDs.<\/p>\n<p>To summarise, this restructure gives us:<\/p>\n<ul>\n<li>Centralised point of logging and debugging of the ACME authorization process. Instead of searching through log<br \/>\nmessages, it\u2019s now possible to run kubectl describe to understand what the state of a certificate is.<\/li>\n<li>Fewer API calls to ACME servers. Information about Orders and Challenges is now stored within the Kubernetes API.<br \/>\nThis means we don\u2019t need to query the ACME API in order to make control-flow decisions.<\/li>\n<li>Cleaner, more understandable separation of concerns. This allows you to build your own integrations and \u2018hook in\u2019<br \/>\nto the authorization process.<\/li>\n<\/ul>\n<p>This is largely an internal change, but with far reaching benefits. For more details, check out the details in the pull<br \/>\nrequest <a href=\"https:\/\/github.com\/jetstack\/cert-manager\/pull\/788\">#788<\/a>.<\/p>\n<p>We are keen to hear feedback on this new design, so please create issues including the \/area acme text in order to<br \/>\nreport feedback.<\/p>\n<p>Off the back of the changes discussed above, we\u2019ve been able to implement far more intelligent handling of rate limits<br \/>\nand quotas with ACME servers. This was previously not possible, due to the way we scheduled challenges for processing.<\/p>\n<p>In large scale deployments, we\u2019ve seen these changes have an extremely positive effect. In one case, up to 80000 domain names were validated without hitting quota troubles! We\u2019ll be publishing more information on some of our<br \/>\nlargest users, and how we\u2019ve helped them with their managed certificate offerings, over the coming weeks &#8211; stay tuned!<\/p>\n<p>So far we\u2019ve spoken a lot about improving how we use external APIs, but how do we know we\u2019ve made improvements?<\/p>\n<p>Well, as part of v0.6 we\u2019ve expanded out the set of Prometheus metrics we expose. This allows you to build custom<br \/>\ndashboards and alerts to monitor your cert-manager deployment, including:<\/p>\n<ul>\n<li>Certificate expiry times<\/li>\n<li>Number of certificates<\/li>\n<li>How the ACME client is used<\/li>\n<\/ul>\n<p>In later releases we\u2019re going to extend this further so that you can build alerting policy so you can keep ahead of<br \/>\nthe curve with upcoming or newly introduced issues!<\/p>\n<p>Below is an example of a dashboard we\u2019ve assembled, that allows you to monitor how cert-manager is interacting with<br \/>\nLet\u2019s Encrypt APIs. The metrics are broken down by path, status code and a number of other labels:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blog.jetstack.io\/blog\/cert-manager-0.6\/metrics-dashboard.png\" alt=\"Image of the metrics produced by the cert-manager acme client\" \/><\/p>\n<p>A sample of the metrics exposed by the ACME client<\/p>\n<p>We\u2019ll also be publishing some example dashboards that can be easily used with cert-manager over the coming releases.<\/p>\n<p>In earlier releases, we introduced the \u2018webhook\u2019 component which performs advanced resource validation of your<br \/>\nresources before they can be stored in the apiserver, such as ensuring that all DNS names provided are valid.<\/p>\n<p>This means that when a user creates a Certificate, Issuer or ClusterIssuer resource, they can be validated and checked<br \/>\nto ensure they are well-formed and don\u2019t contain mistakes that could otherwise cause problems for the way the<br \/>\ncontroller works.<\/p>\n<p>As part of the v0.6 release, we now enable this webhook component by default. Doing this will ensure that all users<br \/>\nare running with a \u2018level playing field\u2019 and hopefully prevent bugs\/misconfigurations sneaking into production setups!<\/p>\n<p>It\u2019s been requested for a while that we support different private key types beyond RSA. Thanks to the community, we now<br \/>\nsupport ECDSA private keys in all parts of cert-manager.<\/p>\n<p>In order to use the alternate key algorithm, you can simply specify certificate.spec.keyAlgorithm on your Certificate<br \/>\nresource. As the project matures, we\u2019ll look to add and expose new fields like this as part of the API specs.<\/p>\n<p>We hope, in time, to provide a meaningful abstractions over the x509 specification, giving you full control over the<br \/>\nshape of your PKI assets!<\/p>\n<p>As part of our validation for this release, we\u2019ve been able to test cert-manager in larger deployment configurations.<br \/>\nThis includes running with 10s of thousands of certificate resources at a time, whilst also ensuring that our client,<br \/>\nmemory and CPU usage scale linearly.<\/p>\n<p>As a result of this testing, we\u2019ve also got numerous scale-related improvements triaged for the next release, v0.7.<\/p>\n<p>Since we\u2019ve moved to a monthly release cadence, cert-manager v0.7 is due to be released at the end of February.<br \/>\nThis means more frequent, smaller releases.<\/p>\n<p>cert-manager v0.7 therefore contains a few new features, and a slew of bugfixes. Notable features include:<\/p>\n<ul>\n<li>Webhook based DNS01 solvers (ACME): since we began supporting the ACME DNS01 challenge mechanism, we\u2019ve had requests<br \/>\nfor some way for users to integrate cert-manager with their own DNS nameservers.<br \/>\n<a href=\"https:\/\/github.com\/zuzzas\">@zuzzas<\/a> has been working on a new DNS01 challenge provider, the \u2018webhook\u2019 provider.<br \/>\nThis will allow anyone to integrate cert-manager with their own DNS setups, without having to create pull requests<br \/>\nupstream.<\/li>\n<li>ARM32 and ARM64 support: this has been a long time coming &#8211; from v0.7 onwards, we\u2019ll begin publishing both ARM32 and<br \/>\nARM64 docker images that can be used in your ARM based clusters.<\/li>\n<li>Improvements to the webhook deployment strategy: we\u2019ve previously relied on a CronJob resource that periodically<br \/>\nensures PKI assets for the webhook are up-to-date. After feedback, we\u2019ve decided to move this to be handled by a<br \/>\nnew, dedicated controller. This should mean the certificate rotation process for the webhook itself is far more<br \/>\nrobust.<\/li>\n<li>Moving to our own Helm chart repository: this will allow us to publish new copies of the Helm chart more frequently,<br \/>\nand also expose the chart on the <a href=\"https:\/\/hub.helm.sh\">Helm hub<\/a>.<\/li>\n<li>Improved challenge error handling: we\u2019ll be including failure reasons as part of the \u2018reason\u2019 field on Challenge<br \/>\nresources, meaning you\u2019ll no longer need to grep through the cert-manager logs in order to work out why your ACME<br \/>\nvalidations are failing.<\/li>\n<li>Alpha level support for <a href=\"https:\/\/venafi.com\">Venafi<\/a> issued certificates: a lot of enterprise users make use of the<br \/>\nVenafi platform to procure certificates from their own CAs, and have existing processes that utilise the Venafi<br \/>\nmanagement capabilities across their organisations. The v0.7 release will include support for integrating<br \/>\ncert-manager with Venafi, allowing organisations that already have automated PKI configured to begin consuming<br \/>\ncertificates within their Kubernetes clusters.<\/li>\n<\/ul>\n<p>The v0.6 release has been a long time coming, but has set a basis for us to work and pave the way for a stable<br \/>\nv1.0 release. We\u2019re really looking forward to getting the next iteration of the project out there, and have goals to<br \/>\nmature our API to beta (and finally GA) within the next 6 months.<\/p>\n<p>Stay tuned, keep an eye on the project and watch the blog for more updates!<\/p>\n<p><a href=\"https:\/\/blog.jetstack.io\/blog\/cert-manager-0.6\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019re excited to announce v0.6 of cert-manager, the general purpose x509 certificate management tool for Kubernetes. cert-manager provides automated issuance, renewal and management of certificates within your organisation. Certificate management in highly dynamic environments is no easy feat, and if approached without careful consideration could quickly lead to outages and service interuption when certificates begin &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw93\/index.php\/2019\/02\/26\/cert-manager-reaches-v0-6-jetstack-blog\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Cert-manager reaches v0.6 \/\/ Jetstack Blog&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1375","post","type-post","status-publish","format-standard","hentry","category-kubernetes"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/posts\/1375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/comments?post=1375"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/posts\/1375\/revisions"}],"predecessor-version":[{"id":1448,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/posts\/1375\/revisions\/1448"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/media?parent=1375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/categories?post=1375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw93\/index.php\/wp-json\/wp\/v2\/tags?post=1375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}