Securing workloads with OpenShift Service Mesh and cert-manager

In this blog, we will learn how to secure workloads with OpenShift service mesh and cert-manager.

Enhancing OpenShift Cluster Security with cert-manager 1.15.1 and Istio Integration

At first glance, version 1.15.1 of the cert-manager Operator for Red Hat OpenShift may appear to be a routine update. This update delivers important enhancements focused on boosting the security framework of OpenShift clusters. As Red Hat OpenShift 4.18 emphasizes the adoption of zero trust principles, the addition of the istio-csr agent—currently available as a Technology Preview—represents a key advancement. It enables more robust and secure handling of TLS certificates within service mesh environments, helping OpenShift clusters align more closely with contemporary security models.

A Closer Look at Istio-Csr and Istio Integration

The `istio-csr` agent acts as a bridge between cert-manager and the Istio service mesh, streamlining the process of issuing and signing certificates for both control and data plane components. All certificate signing requests (CSRs) within the mesh are now routed through cert-manager, allowing for a unified and enterprise-grade approach to certificate issuance and validation. This enhancement elevates Istio’s default security, aligning it more closely with zero trust principles by verifying workloads using externally managed certificates.

Moreover, OpenShift Service Mesh 3.0—Red Hat’s supported Istio distribution—is now generally available. This development enables administrators to implement cert-manager and Istio integrations seamlessly within the OpenShift platform. Although we refer to Istio throughout this discussion, the same concepts apply to OpenShift Service Mesh.

Zero Trust: Beyond Perimeter Security

Traditional network security models often rely on perimeters—once inside, users or workloads are implicitly trusted. This creates a vulnerability where attackers who bypass the perimeter can move laterally within the system. Zero trust, built on the tenets of “never trust, always verify,” challenges this model by enforcing continuous authentication, limited access privileges, and an assumption of breach.

Cert-manager and Istio together directly address two of these pillars: continuous verification and breach mitigation. Instead of trusting workloads based on network location, certificates verify identity based on cryptographic proof. Cert-manager enables issuance and renewal of these certificates, reducing manual management and extending protection across service-to-service communication.

Strengthening Identity Assurance and Resilience

Although Istio defaults to using an internal Certificate Authority that generates a self-signed root certificate, this setup presents security risks, especially if the private root key, stored as a Kubernetes Secret, is compromised. By integrating cert-manager and using the `istio-csr` component, administrators can offload certificate signing to an external CA. This architecture decentralizes the root key, potentially placing it outside the mesh or in a separate namespace, adding a valuable layer of isolation in the event of a breach.

This model also enables cert-manager to interface with enterprise secrets management systems like HashiCorp Vault, CyberArk Conjur, or cloud-native CAs, ensuring that certificate issuance adheres to your organization’s broader security practices. Authentication between cert-manager and the external CA can be secured using mechanisms supported by the secrets manager, offering stronger assurance of identity and access.

Automatic Certificate Management at Scale

One of the standout advantages of cert-manager is its automation capabilities, particularly around short-lived certificates. Regular rotation of TLS certificates can mitigate the fallout of compromised credentials. While shorter certificate lifespans increase administrative complexity, cert-manager handles this seamlessly, issuing and renewing certificates without operator intervention. Defaults such as one-hour certificate lifetimes (compared to Istio’s 24-hour defaults) offer more frequent key refresh cycles, enhancing protection without sacrificing operational efficiency.

Built-in Trust Distribution

The integration also benefits from Istio’s native mechanisms for distributing trust bundles—collections of root and intermediate certificates required to validate peers in the mesh. Cert-manager and `istio-csr` make use of this built-in capability, removing the necessity for additional tools such as the `trust-manager` operator. While cert-manager’s community-developed trust-manager remains a viable option, leveraging Istio’s capabilities avoids additional overhead while preserving high security standards.

Future Opportunities and Multi-Cluster Scalability

The integration between cert-manager and Istio marks only the initial step in a broader journey. The open-source SPIRE project—part of the Cloud Native Computing Foundation—offers further potential to reinforce identity validation by enabling cert-manager issuers to authenticate securely with external secrets managers. This integration could ensure certificate requests are only processed from trusted, verifiable sources.

Additionally, while cert-manager has traditionally operated within single clusters, emerging use cases for multi-cluster environments are driving efforts to enhance high availability and scalability. The goal is to support certificate management across federated OpenShift and Istio service meshes, reducing operational fragmentation and enabling enterprise-wide consistency in TLS security.