DevOps teams continue to push the boundaries of software development. With new applications being developed at lightning speed, engineers and developers have the added challenge of securing every stage of the development cycle, from containers and microservices, to management tools.
The key to security is an SSL/TLS certificate. But with multiple services to secure and manage, engineers don’t have the capacity to manually check which certificates need renewing, which are about to expire, or put in multiple requests to InfoSec teams to action certificate management requests.
So, what can DevOps teams do to make their lives easier? One word: ACME (well technically four words).
What is ACME?
ACME (Automatic Certificate Management Environment) is a standard protocol for automating certificate issuance and domain validation procedures. ACME is a widely adopted certificate automation solution which allows users to request certificate management actions by using a set of JavaScript Object Notation (JSON) messages carried over HTTPS. It provides a framework for enterprises to communicate with a Certificate Authority to automate the request, issuance, and revocation of SSL/TLS certificates.
How to Secure Your CI/CD Pipeline Using GlobalSign’s ACME integration
Enterprises can use the ACME protocol to secure a range of DevOps deployment and management tools with GlobalSign SSL/TLS certificates. Here are a few use cases:
Kubernetes
Developers can use GlobalSign’s Atlas ACME service to secure Kubernetes Ingress with GlobalSign SSL/TLS certificates via Jetstack's Cert-manager. Jetstack's Cert-manager is a native Kubernetes certificate management controller. It is built on top of Kubernetes to provide 'certificates as a service' to developers working within Kubernetes Clusters. It introduces certificate authorities and certificates as first-class resource types in the Kubernetes API, thus simplifying management, issuance, renewal of certificates and securing application traffic. Developers can also leverage ACME to use GlobalSign’s native Cert-Manager - Atlas Plugin to secure all services within the Kubernetes Cluster.
Docker Containers
The ACME protocol enables Docker users to automate the creation and renewal of certificates to secure Docker containers. Users can request GlobalSign’s private SSL/TLS certificates from an ACME Server to secure communication between docker containers and hosts. Users can build a Docker-compose setup that runs Nginx in one container and a service for obtaining and renewing HTTPS certificates in another. They can then retrieve their certificate from the ACME server via external account binding (EAB).
Developers can also pull GlobalSign's Docker Image from the Docker Hub repository to obtain SSL/TLS certificates to secure their Docker containers.
Ansible
Ansible users can configure GlobalSign as a certificate authority for issuing certificates by providing API keys and secrets, and mTLS certificates. Developers can utilise Ansible Playbooks to secure their internal servers, such as Apache and Nginx Web Servers. Through Ansible Playbook ‘Tasks’, they can request, view or revoke GlobalSign certificates through their ACME protocol. In addition, they can perform domain claim validation using http/dns/email methods.
Service Mesh
Enterprises can secure Inter Pod Communication such as Istio and Linkerd with the help of mTLS certificates requested through ACME and cert-manager.
Chef
Similar to how users create an Ansible Playbook to secure Apache and Nginx webservers, developers can create an ACME Cookbook to create GlobalSign certificate requests to secure their servers.
Code Signing
Developers can quickly sign code by installing an ACME Jenkins plugin to sign builds with the help of GlobalSign's code signing SSL/TLS certificates, requested through ACME.
Why Use GlobalSign’s ACME Integration for Securing Your DevOps Services?
So, why is GlobalSign’s Atlas ACME integration one of the top solutions for automating your DevOps security needs?
-
Speed
The need for speed is imperative for DevOps environments to function meticulously. ACME automates GlobalSign certificate requests so your DevOps server can be secured within seconds.
-
Widely used
It’s a widely used and simplified protocol which helps developers secure their environment within seconds so they can get on with their real jobs of application development.
-
Secures the CI/CD pipeline
GlobalSign’s ACME integration can be integrated with many DevOps tools to manage certificates. Anything from securing pod-to-pod communications using Kubernetes clusters, to using SSL/TLS to secure Ingress resource.
-
Stay up to date
Using the ACME protocol to automate certificate management allows enterprises to ensure their servers and environments are secure, up to date, and compliant.
-
Keep your secret and keys with you
ACME allows enterprises to keep hold of their secrets and private keys rather than handing this responsibility to a third party. For some, this provides added assurances.
