$30 off During Our Annual Pro Sale. View Details »

Kingsly - The Cert Manager

Kingsly - The Cert Manager

# Problem Statement

Manage SSL/TLS certificate lifecycle for various backends which would include but not limited to
- IPSec VPNs
- HAProxy/envoy proxy

# Existing Solutions

Generate certs using openssl(error prone) or use managed solution(expensive)

# Solution

- We built kingsly, which would act as broker between clients and letsencrypt, serving the clients with SSL certs.
- It takes care of renewal of certs before their expiry dates.
- extensible by writing custom clients to automate the whole manual process of updating certs with an example client.

# Links

https://github.com/gojekfarm/kingsly
https://github.com/gojekfarm/kingsly-certbot
https://github.com/gojekfarm/kingsly-certbot-cookbook
https://github.com/gojekfarm/iap_auth
https://github.com/gojekfarm/iap-auth-cookbook

Tasdik Rahman

August 03, 2019
Tweet

More Decks by Tasdik Rahman

Other Decks in Technology

Transcript

  1. Kingsly - The
    Cert Manager

    View Slide

  2. SSL Certificates
    2

    View Slide

  3. openssl way
    3

    View Slide

  4. openssl way
    4

    View Slide

  5. What just happened?
    1.
    5

    View Slide

  6. But will you really
    remember
    all that?
    6

    View Slide

  7. Problems with our
    approach so far
    ● No audit trail
    ● Wildcard certificates
    ● Sharing certs over
    email/slack
    ● Reactionary approach of
    renewing certs
    ● Certificate inventory
    ● Manual effort to generate
    certs
    7

    View Slide

  8. Features required
    ● Certificates stored in a
    central manner
    ● API to create/renew cert
    ● Automatic renewal of cert
    ● Centralised tracking
    8

    View Slide

  9. Enter Kingsly
    9

    View Slide

  10. Baby Steps
    10

    View Slide

  11. Request
    11
    Response

    View Slide

  12. What’s happening
    underneath?
    12

    View Slide

  13. 13

    View Slide

  14. Initial Admin Interface
    14

    View Slide

  15. Who gets to
    request certs?
    15

    View Slide

  16. Put it behind
    an HAProxy?
    16

    View Slide

  17. Problems with this approach
    17

    View Slide

  18. Identity Aware Proxy
    18

    View Slide

  19. 19

    View Slide

  20. Why IAP?
    ● Central authorization layer
    ● Application level access
    control
    ● Allows individual and group
    based access policies.
    ● Enforce HTTPs
    20

    View Slide

  21. Admin Cert
    request form
    21

    View Slide

  22. 22

    View Slide

  23. How do I deploy this?
    23

    View Slide

  24. 24

    View Slide

  25. Future
    ● Extend for client-bot for
    HAProxy, Envoy proxy
    ● Extend it to developers to be
    able to request development
    certs
    ● CRD to generate certs for
    applications inside k8s
    ● Expand support for AuthZ
    and AuthN
    25

    View Slide

  26. 26

    View Slide

  27. Links
    ● Release blog post
    ● github.com/gojekfarm/kingsly
    ● github.com/gojekfarm/kingsly-certbot
    ● github.com/gojekfarm/kingsly-certbot-cookbook
    ● github.com/gojekfarm/iap_auth
    ● github.com/gojekfarm/iap-auth-cookbook
    27

    View Slide

  28. 28
    @tasdikrahman
    tasdikrahman.me

    View Slide