Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kingsly - The Cert Manager

Tasdik Rahman
August 03, 2019
Technology
0
2.1k

Kingsly - The Cert Manager

# Problem Statement

Manage SSL/TLS certificate lifecycle for various backends which would include but not limited to
- IPSec VPNs
- HAProxy/envoy proxy

# Existing Solutions

Generate certs using openssl(error prone) or use managed solution(expensive)

# Solution

- We built kingsly, which would act as broker between clients and letsencrypt, serving the clients with SSL certs.
- It takes care of renewal of certs before their expiry dates.
- extensible by writing custom clients to automate the whole manual process of updating certs with an example client.

# Links

https://github.com/gojekfarm/kingsly
https://github.com/gojekfarm/kingsly-certbot
https://github.com/gojekfarm/kingsly-certbot-cookbook
https://github.com/gojekfarm/iap_auth
https://github.com/gojekfarm/iap-auth-cookbook

Tasdik Rahman

August 03, 2019
Tweet

More Decks by Tasdik Rahman

See All by Tasdik Rahman
How to make pod assignment to thousands of nodes every day easier
tasdikrahman
0
110
Keeping up with Kubernetes cluster upgrades
tasdikrahman
0
540
TDD: An experience report
tasdikrahman
0
1.3k
Achieving repeatable, extensible and self serve infrastructure
tasdikrahman
0
1.9k
Ways of enabling Canary deployments in kubernetes
tasdikrahman
0
4.5k
kuberception: Self Hosting kubernetes
tasdikrahman
0
8k
Diving deep on how imports work in Python
tasdikrahman
0
3.2k
Introduction to Ansible
tasdikrahman
1
17k
Demystifying how imports work in Python
tasdikrahman
1
3.5k

Other Decks in Technology

See All in Technology
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
1
420
Lambdaと地方とコミュニティ
miu_crescent
2
270
FOSS4G 2024 Japan コアデイ 一般発表25 PythonでPLATEAUのデータを手軽に扱ってみる
ra0kley
1
130
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
320
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
190
エンジニアが一生困らない ドキュメント作成の基本
naohiro_nakata
2
150
フルカイテン株式会社 採用資料
fullkaiten
0
40k
エンジニア候補者向け資料2024.11.07.pdf
macloud
0
4.5k
私はこうやってマインドマップでテストすることを出す!
mineo_matsuya
0
230
DatabricksにおけるLLMOpsのベストプラクティス
taka_aki
4
1.6k
フロントエンド メタフレームワーク 選定の際に考えたこと
yuppeeng
0
600
軽量DDDはもういらない! スタイルガイド本で OOPの実装パターンを学ぼう
panda_program
29
11k

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
2k
Bash Introduction
62gerente
608
210k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
400
It's Worth the Effort
3n
183
27k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
What's in a price? How to price your products and services
michaelherold
243
12k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Typedesign – Prime Four
hannesfritz
40
2.4k

Transcript

  1. Kingsly - The Cert Manager

  2. SSL Certificates 2

  3. openssl way 3

  4. openssl way 4

  5. What just happened? 1. 5

  6. But will you really remember all that? 6

  7. Problems with our approach so far • No audit trail

    • Wildcard certificates • Sharing certs over email/slack • Reactionary approach of renewing certs • Certificate inventory • Manual effort to generate certs 7

  8. Features required • Certificates stored in a central manner •

    API to create/renew cert • Automatic renewal of cert • Centralised tracking 8

  9. Enter Kingsly 9

  10. Baby Steps 10

  11. Request 11 Response

  12. What’s happening underneath? 12

  13. 13

  14. Initial Admin Interface 14

  15. Who gets to request certs? 15

  16. Put it behind an HAProxy? 16

  17. Problems with this approach 17

  18. Identity Aware Proxy 18

  19. 19

  20. Why IAP? • Central authorization layer • Application level access

    control • Allows individual and group based access policies. • Enforce HTTPs 20

  21. Admin Cert request form 21

  22. 22

  23. How do I deploy this? 23

  24. 24

  25. Future • Extend for client-bot for HAProxy, Envoy proxy •

    Extend it to developers to be able to request development certs • CRD to generate certs for applications inside k8s • Expand support for AuthZ and AuthN 25

  26. 26

  27. Links • Release blog post • github.com/gojekfarm/kingsly • github.com/gojekfarm/kingsly-certbot •

    github.com/gojekfarm/kingsly-certbot-cookbook • github.com/gojekfarm/iap_auth • github.com/gojekfarm/iap-auth-cookbook 27

  28. 28 @tasdikrahman tasdikrahman.me