Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kingsly - The Cert Manager

Tasdik Rahman
August 03, 2019
Technology
0
1.9k

Kingsly - The Cert Manager

# Problem Statement

Manage SSL/TLS certificate lifecycle for various backends which would include but not limited to
- IPSec VPNs
- HAProxy/envoy proxy

# Existing Solutions

Generate certs using openssl(error prone) or use managed solution(expensive)

# Solution

- We built kingsly, which would act as broker between clients and letsencrypt, serving the clients with SSL certs.
- It takes care of renewal of certs before their expiry dates.
- extensible by writing custom clients to automate the whole manual process of updating certs with an example client.

# Links

https://github.com/gojekfarm/kingsly
https://github.com/gojekfarm/kingsly-certbot
https://github.com/gojekfarm/kingsly-certbot-cookbook
https://github.com/gojekfarm/iap_auth
https://github.com/gojekfarm/iap-auth-cookbook

Tasdik Rahman

August 03, 2019
Tweet

More Decks by Tasdik Rahman

See All by Tasdik Rahman
Keeping up with Kubernetes cluster upgrades
tasdikrahman
0
390
TDD: An experience report
tasdikrahman
0
1.1k
Achieving repeatable, extensible and self serve infrastructure
tasdikrahman
0
1.7k
Ways of enabling Canary deployments in kubernetes
tasdikrahman
0
4.2k
kuberception: Self Hosting kubernetes
tasdikrahman
0
7.7k
Diving deep on how imports work in Python
tasdikrahman
0
3k
Introduction to Ansible
tasdikrahman
1
16k
Demystifying how imports work in Python
tasdikrahman
1
3.2k

Other Decks in Technology

See All in Technology
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.6k
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
140
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
130
AIQ株式会社 エンジニア向け会社紹介資料
aiqlab
0
380
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
340
ユーザーストーリーのレビューを自動化したみたの
bun913
1
330
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
140
0→1開発における技術選定において一番大切なこと
bicstone
1
330
オーナーシップを持つ領域を明確にする
konifar
12
2.7k
Algyan イベント振り返り
linyixian
0
190
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
430
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
180

Featured

See All Featured
The Cult of Friendly URLs
andyhume
74
5.7k
How to Ace a Technical Interview
jacobian
272
22k
How GitHub (no longer) Works
holman
304
140k
Optimising Largest Contentful Paint
csswizardry
7
2.3k
Teambox: Starting and Learning
jrom
128
8.4k
It's Worth the Effort
3n
180
27k
Typedesign – Prime Four
hannesfritz
36
2.1k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
Atom: Resistance is Futile
akmur
258
25k
Statistics for Hackers
jakevdp
789
220k
Practical Orchestrator
shlominoach
181
9.7k

Transcript

  1. Kingsly - The Cert Manager

  2. SSL Certificates 2

  3. openssl way 3

  4. openssl way 4

  5. What just happened? 1. 5

  6. But will you really remember all that? 6

  7. Problems with our approach so far • No audit trail

    • Wildcard certificates • Sharing certs over email/slack • Reactionary approach of renewing certs • Certificate inventory • Manual effort to generate certs 7

  8. Features required • Certificates stored in a central manner •

    API to create/renew cert • Automatic renewal of cert • Centralised tracking 8

  9. Enter Kingsly 9

  10. Baby Steps 10

  11. Request 11 Response

  12. What’s happening underneath? 12

  13. 13

  14. Initial Admin Interface 14

  15. Who gets to request certs? 15

  16. Put it behind an HAProxy? 16

  17. Problems with this approach 17

  18. Identity Aware Proxy 18

  19. 19

  20. Why IAP? • Central authorization layer • Application level access

    control • Allows individual and group based access policies. • Enforce HTTPs 20

  21. Admin Cert request form 21

  22. 22

  23. How do I deploy this? 23

  24. 24

  25. Future • Extend for client-bot for HAProxy, Envoy proxy •

    Extend it to developers to be able to request development certs • CRD to generate certs for applications inside k8s • Expand support for AuthZ and AuthN 25

  26. 26

  27. Links • Release blog post • github.com/gojekfarm/kingsly • github.com/gojekfarm/kingsly-certbot •

    github.com/gojekfarm/kingsly-certbot-cookbook • github.com/gojekfarm/iap_auth • github.com/gojekfarm/iap-auth-cookbook 27

  28. 28 @tasdikrahman tasdikrahman.me