Requirements and Considerations¶
When developing Issuer solutions for the Machine Identity Management Control Plane, you should always build with the goal of certification in mind.
TLS Protect For Kubernetes Certification
Certified solutions see increased adoption from users. Find out more!
Minimum Requirements¶
- The solution must be open source and its container images published to publicly available image registries.
- The solution must automate the production of machine identities from the underlying provider to enforce the security of traffic between workloads.
- The solution will expect cert-manager to hand CertificateRequest objects to it and be able to, directly or indirectly, produce a machine identity.
Security Considerations¶
The extent of your security considerations is somewhat governed by the intention of your Issuer.
As the developer of an Issuer solution, you will need to determine if your underlying Certificate Authority (CA) could be required to secure internet traffic or not. Internal traffic could be deemed to be secure when plain-text communication is eliminated, which is easier to ensure. The requirements for securing internet traffic are likely higher, since your responsibility now extends to cover concerns such as identity and attestation (e.g. "is this domain owner really who they say they are?")
To clarify, you would find it much easier to build a self-signed Issuer than an Issuer for something like a Certificate Authority where security concerns such as authentication would need to be addressed.
Building a Better User Experience¶
The user experience should be as painless as possible and the expectation is that your solution should be:
- Easy to install, preferably via Helm
- Able to deploy an MVP into your cluster with little or no configuration requirements
- Provide comprehensive logs and metrics for diagnostic purposes
- Provide complete/appropriate documentation online and via CRDs
Conforming to the these requirements will greatly enhance the user experience, providing additional value to teams and organizations whilst paving the way to certification of your solution.
Success Stories¶
Existing solutions that fit within this pattern:
- The cert-manager community provides a collection of open-source External Issuers enabling distribution of machine identities from providers including AWS, Google and Cloudflare.
- The venafi-enhanced-issuer is provided with TLS Protect For Kubernetes to meet the needs of enterprise customer.