Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kingsly - The Cert Manager

Tasdik Rahman
August 03, 2019
Technology
0
2.3k

Kingsly - The Cert Manager

# Problem Statement

Manage SSL/TLS certificate lifecycle for various backends which would include but not limited to
- IPSec VPNs
- HAProxy/envoy proxy

# Existing Solutions

Generate certs using openssl(error prone) or use managed solution(expensive)

# Solution

- We built kingsly, which would act as broker between clients and letsencrypt, serving the clients with SSL certs.
- It takes care of renewal of certs before their expiry dates.
- extensible by writing custom clients to automate the whole manual process of updating certs with an example client.

# Links

https://github.com/gojekfarm/kingsly
https://github.com/gojekfarm/kingsly-certbot
https://github.com/gojekfarm/kingsly-certbot-cookbook
https://github.com/gojekfarm/iap_auth
https://github.com/gojekfarm/iap-auth-cookbook

Tasdik Rahman

August 03, 2019
Tweet

More Decks by Tasdik Rahman

See All by Tasdik Rahman
Resilient Multi-Cloud Strategies: Harnessing Kubernetes, Cluster API and Cell-Based Architecture
tasdikrahman
0
34
How to make pod assignment to thousands of nodes every day easier
tasdikrahman
0
270
Keeping up with Kubernetes cluster upgrades
tasdikrahman
0
640
TDD: An experience report
tasdikrahman
0
1.4k
Achieving repeatable, extensible and self serve infrastructure
tasdikrahman
0
2.1k
Ways of enabling Canary deployments in kubernetes
tasdikrahman
0
4.7k
kuberception: Self Hosting kubernetes
tasdikrahman
0
8.3k
Diving deep on how imports work in Python
tasdikrahman
0
3.4k
Introduction to Ansible
tasdikrahman
1
17k

Other Decks in Technology

See All in Technology
更新系と状態
uhyo
5
730
似たような課題が何度も蘇ってくるゾンビふりかえりを撲滅するため、ふりかえりのテーマをフォーカスしてもらった話 / focusing on the theme
naitosatoshi
0
450
AI AgentOps LT大会(2025/04/16) Algomatic伊藤発表資料
kosukeito
0
140
AWSLambdaMCPServerを使ってツールとMCPサーバを分離する
tkikuchi
1
3k
SnowflakeとDatabricks両方でRAGを構築してみた
kameitomohiro
1
230
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM, Prompt Engineering and Building Tutors
ks91
PRO
1
250
Amazon CloudWatch Application Signals ではじめるバーンレートアラーム / Burn rate alarm with Amazon CloudWatch Application Signals
ymotongpoo
5
460
20250411_HCCJP_AdaptiveCloudUpdates.pdf
sdosamut
1
110
LiteXとオレオレCPUで作る自作SoC奮闘記
msyksphinz
0
590
Dynamic Reteaming And Self Organization
miholovesq
3
420
LangfuseでAIエージェントの 可観測性を高めよう!/Enhancing AI Agent Observability with Langfuse!
jnymyk
1
220
さくらの夕べ Debianナイト - さくらのVPS編
dictoss
0
300

Featured

See All Featured
How to Think Like a Performance Engineer
csswizardry
23
1.5k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
The Cult of Friendly URLs
andyhume
78
6.3k
StorybookのUI Testing Handbookを読んだ
zakiyama
29
5.6k
Six Lessons from altMBA
skipperchong
27
3.7k
Reflections from 52 weeks, 52 projects
jeffersonlam
349
20k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
135
33k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
390
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.3k

Transcript

  1. Kingsly - The Cert Manager

  2. SSL Certificates 2

  3. openssl way 3

  4. openssl way 4

  5. What just happened? 1. 5

  6. But will you really remember all that? 6

  7. Problems with our approach so far • No audit trail

    • Wildcard certificates • Sharing certs over email/slack • Reactionary approach of renewing certs • Certificate inventory • Manual effort to generate certs 7

  8. Features required • Certificates stored in a central manner •

    API to create/renew cert • Automatic renewal of cert • Centralised tracking 8

  9. Enter Kingsly 9

  10. Baby Steps 10

  11. Request 11 Response

  12. What’s happening underneath? 12

  13. 13

  14. Initial Admin Interface 14

  15. Who gets to request certs? 15

  16. Put it behind an HAProxy? 16

  17. Problems with this approach 17

  18. Identity Aware Proxy 18

  19. 19

  20. Why IAP? • Central authorization layer • Application level access

    control • Allows individual and group based access policies. • Enforce HTTPs 20

  21. Admin Cert request form 21

  22. 22

  23. How do I deploy this? 23

  24. 24

  25. Future • Extend for client-bot for HAProxy, Envoy proxy •

    Extend it to developers to be able to request development certs • CRD to generate certs for applications inside k8s • Expand support for AuthZ and AuthN 25

  26. 26

  27. Links • Release blog post • github.com/gojekfarm/kingsly • github.com/gojekfarm/kingsly-certbot •

    github.com/gojekfarm/kingsly-certbot-cookbook • github.com/gojekfarm/iap_auth • github.com/gojekfarm/iap-auth-cookbook 27

  28. 28 @tasdikrahman tasdikrahman.me