Kingsly - The Cert Manager

Kingsly - The Cert Manager

# Problem Statement

Manage SSL/TLS certificate lifecycle for various backends which would include but not limited to
- IPSec VPNs
- HAProxy/envoy proxy

# Existing Solutions

Generate certs using openssl(error prone) or use managed solution(expensive)

# Solution

- We built kingsly, which would act as broker between clients and letsencrypt, serving the clients with SSL certs.
- It takes care of renewal of certs before their expiry dates.
- extensible by writing custom clients to automate the whole manual process of updating certs with an example client.

# Links

https://github.com/gojekfarm/kingsly
https://github.com/gojekfarm/kingsly-certbot
https://github.com/gojekfarm/kingsly-certbot-cookbook
https://github.com/gojekfarm/iap_auth
https://github.com/gojekfarm/iap-auth-cookbook

99f99340cf6fe31f86e8dd0a988eec7c?s=128

Tasdik Rahman

August 03, 2019
Tweet

Transcript

  1. Kingsly - The Cert Manager

  2. SSL Certificates 2

  3. openssl way 3

  4. openssl way 4

  5. What just happened? 1. 5

  6. But will you really remember all that? 6

  7. Problems with our approach so far • No audit trail

    • Wildcard certificates • Sharing certs over email/slack • Reactionary approach of renewing certs • Certificate inventory • Manual effort to generate certs 7
  8. Features required • Certificates stored in a central manner •

    API to create/renew cert • Automatic renewal of cert • Centralised tracking 8
  9. Enter Kingsly 9

  10. Baby Steps 10

  11. Request 11 Response

  12. What’s happening underneath? 12

  13. 13

  14. Initial Admin Interface 14

  15. Who gets to request certs? 15

  16. Put it behind an HAProxy? 16

  17. Problems with this approach 17

  18. Identity Aware Proxy 18

  19. 19

  20. Why IAP? • Central authorization layer • Application level access

    control • Allows individual and group based access policies. • Enforce HTTPs 20
  21. Admin Cert request form 21

  22. 22

  23. How do I deploy this? 23

  24. 24

  25. Future • Extend for client-bot for HAProxy, Envoy proxy •

    Extend it to developers to be able to request development certs • CRD to generate certs for applications inside k8s • Expand support for AuthZ and AuthN 25
  26. 26

  27. Links • Release blog post • github.com/gojekfarm/kingsly • github.com/gojekfarm/kingsly-certbot •

    github.com/gojekfarm/kingsly-certbot-cookbook • github.com/gojekfarm/iap_auth • github.com/gojekfarm/iap-auth-cookbook 27
  28. 28 @tasdikrahman tasdikrahman.me