Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kingsly - The Cert Manager

Tasdik Rahman
August 03, 2019
Technology
0
1.7k

Kingsly - The Cert Manager

# Problem Statement

Manage SSL/TLS certificate lifecycle for various backends which would include but not limited to
- IPSec VPNs
- HAProxy/envoy proxy

# Existing Solutions

Generate certs using openssl(error prone) or use managed solution(expensive)

# Solution

- We built kingsly, which would act as broker between clients and letsencrypt, serving the clients with SSL certs.
- It takes care of renewal of certs before their expiry dates.
- extensible by writing custom clients to automate the whole manual process of updating certs with an example client.

# Links

https://github.com/gojekfarm/kingsly
https://github.com/gojekfarm/kingsly-certbot
https://github.com/gojekfarm/kingsly-certbot-cookbook
https://github.com/gojekfarm/iap_auth
https://github.com/gojekfarm/iap-auth-cookbook

Tasdik Rahman

August 03, 2019
Tweet

More Decks by Tasdik Rahman

See All by Tasdik Rahman
Keeping up with Kubernetes cluster upgrades
tasdikrahman
0
180
TDD: An experience report
tasdikrahman
0
840
Achieving repeatable, extensible and self serve infrastructure
tasdikrahman
0
1.4k
Ways of enabling Canary deployments in kubernetes
tasdikrahman
0
3.8k
kuberception: Self Hosting kubernetes
tasdikrahman
0
7.2k
Diving deep on how imports work in Python
tasdikrahman
0
2.6k
Introduction to Ansible
tasdikrahman
1
16k
Demystifying how imports work in Python
tasdikrahman
1
2.9k

Other Decks in Technology

See All in Technology
ビギナー向け エッジランタイムのすすめ | エッジランタイムを意識した開発をはじめよう
aiji42
1
430
また(CDK界隈の)世界を縮めてしまった
bun913
0
400
新卒入社から1500人規模のCTOに: エンジニアが圧倒的に成長する3つのコツ / 技育祭2023春
carta_engineering
1
770
[k8sjp #56] Kustomize v5 を含む最新機能とテクニックの紹介
koba1t
0
350
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
0
300
MSPサービスを支えるIaCのこれまでとこれから
sbtechnight
PRO
0
390
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
210
私と Nature Remo E / Nature Remo E
orgachem
0
170
Snyk の紹介 〜セキュリティの Shift Left を目指す〜
toshiaizawa
0
110
生成AIで文化を創造する(ChatGPT作成タイトル)
sbtechnight
PRO
0
390
Linuxのブロックデバイス
sat
PRO
4
1.6k
エラーログをAlertで引っ掛けるときにEventTimer使ってみた話
sparty
0
160

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
419
60k
Unsuck your backbone
ammeep
659
56k
Learning to Love Humans: Emotional Interface Design
aarron
263
38k
Designing for humans not robots
tammielis
245
24k
Making Projects Easy
brettharned
102
4.9k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
Facilitating Awesome Meetings
lara
34
4.7k
It's Worth the Effort
3n
177
26k
Three Pipe Problems
jasonvnalue
89
9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
224
50k
Designing for Performance
lara
600
65k

Transcript

  1. Kingsly - The
    Cert Manager

    View Slide

  2. SSL Certificates
    2

    View Slide

  3. openssl way
    3

    View Slide

  4. openssl way
    4

    View Slide

  5. What just happened?
    1.
    5

    View Slide

  6. But will you really
    remember
    all that?
    6

    View Slide

  7. Problems with our
    approach so far
    ● No audit trail
    ● Wildcard certificates
    ● Sharing certs over
    email/slack
    ● Reactionary approach of
    renewing certs
    ● Certificate inventory
    ● Manual effort to generate
    certs
    7

    View Slide

  8. Features required
    ● Certificates stored in a
    central manner
    ● API to create/renew cert
    ● Automatic renewal of cert
    ● Centralised tracking
    8

    View Slide

  9. Enter Kingsly
    9

    View Slide

  10. Baby Steps
    10

    View Slide

  11. Request
    11
    Response

    View Slide

  12. What’s happening
    underneath?
    12

    View Slide

  13. 13

    View Slide

  14. Initial Admin Interface
    14

    View Slide

  15. Who gets to
    request certs?
    15

    View Slide

  16. Put it behind
    an HAProxy?
    16

    View Slide

  17. Problems with this approach
    17

    View Slide

  18. Identity Aware Proxy
    18

    View Slide

  19. 19

    View Slide

  20. Why IAP?
    ● Central authorization layer
    ● Application level access
    control
    ● Allows individual and group
    based access policies.
    ● Enforce HTTPs
    20

    View Slide

  21. Admin Cert
    request form
    21

    View Slide

  22. 22

    View Slide

  23. How do I deploy this?
    23

    View Slide

  24. 24

    View Slide

  25. Future
    ● Extend for client-bot for
    HAProxy, Envoy proxy
    ● Extend it to developers to be
    able to request development
    certs
    ● CRD to generate certs for
    applications inside k8s
    ● Expand support for AuthZ
    and AuthN
    25

    View Slide

  26. 26

    View Slide

  27. Links
    ● Release blog post
    ● github.com/gojekfarm/kingsly
    ● github.com/gojekfarm/kingsly-certbot
    ● github.com/gojekfarm/kingsly-certbot-cookbook
    ● github.com/gojekfarm/iap_auth
    ● github.com/gojekfarm/iap-auth-cookbook
    27

    View Slide

  28. 28
    @tasdikrahman
    tasdikrahman.me

    View Slide