Problems with our
approach so far
● No audit trail
● Wildcard certificates
● Sharing certs over
email/slack
● Reactionary approach of
renewing certs
● Certificate inventory
● Manual effort to generate
certs
7
Slide 8
Slide 8 text
Features required
● Certificates stored in a
central manner
● API to create/renew cert
● Automatic renewal of cert
● Centralised tracking
8
Slide 9
Slide 9 text
Enter Kingsly
9
Slide 10
Slide 10 text
Baby Steps
10
Slide 11
Slide 11 text
Request
11
Response
Slide 12
Slide 12 text
What’s happening
underneath?
12
Slide 13
Slide 13 text
13
Slide 14
Slide 14 text
Initial Admin Interface
14
Slide 15
Slide 15 text
Who gets to
request certs?
15
Slide 16
Slide 16 text
Put it behind
an HAProxy?
16
Slide 17
Slide 17 text
Problems with this approach
17
Slide 18
Slide 18 text
Identity Aware Proxy
18
Slide 19
Slide 19 text
19
Slide 20
Slide 20 text
Why IAP?
● Central authorization layer
● Application level access
control
● Allows individual and group
based access policies.
● Enforce HTTPs
20
Slide 21
Slide 21 text
Admin Cert
request form
21
Slide 22
Slide 22 text
22
Slide 23
Slide 23 text
How do I deploy this?
23
Slide 24
Slide 24 text
24
Slide 25
Slide 25 text
Future
● Extend for client-bot for
HAProxy, Envoy proxy
● Extend it to developers to be
able to request development
certs
● CRD to generate certs for
applications inside k8s
● Expand support for AuthZ
and AuthN
25
Slide 26
Slide 26 text
26
Slide 27
Slide 27 text
Links
● Release blog post
● github.com/gojekfarm/kingsly
● github.com/gojekfarm/kingsly-certbot
● github.com/gojekfarm/kingsly-certbot-cookbook
● github.com/gojekfarm/iap_auth
● github.com/gojekfarm/iap-auth-cookbook
27