$30 off During Our Annual Pro Sale. View Details »

Kingsly - The Cert Manager

Tasdik Rahman
August 03, 2019
Technology
0
1.8k

Kingsly - The Cert Manager

# Problem Statement

Manage SSL/TLS certificate lifecycle for various backends which would include but not limited to
- IPSec VPNs
- HAProxy/envoy proxy

# Existing Solutions

Generate certs using openssl(error prone) or use managed solution(expensive)

# Solution

- We built kingsly, which would act as broker between clients and letsencrypt, serving the clients with SSL certs.
- It takes care of renewal of certs before their expiry dates.
- extensible by writing custom clients to automate the whole manual process of updating certs with an example client.

# Links

https://github.com/gojekfarm/kingsly
https://github.com/gojekfarm/kingsly-certbot
https://github.com/gojekfarm/kingsly-certbot-cookbook
https://github.com/gojekfarm/iap_auth
https://github.com/gojekfarm/iap-auth-cookbook

Tasdik Rahman

August 03, 2019
Tweet

More Decks by Tasdik Rahman

See All by Tasdik Rahman
Keeping up with Kubernetes cluster upgrades
tasdikrahman
0
320
TDD: An experience report
tasdikrahman
0
990
Achieving repeatable, extensible and self serve infrastructure
tasdikrahman
0
1.6k
Ways of enabling Canary deployments in kubernetes
tasdikrahman
0
4k
kuberception: Self Hosting kubernetes
tasdikrahman
0
7.5k
Diving deep on how imports work in Python
tasdikrahman
0
2.8k
Introduction to Ansible
tasdikrahman
1
16k
Demystifying how imports work in Python
tasdikrahman
1
3.1k

Other Decks in Technology

See All in Technology
CSSパフォーマンスに関する計測結果
poteboy
3
880
コロプラ_SRE_LCE_ゲームバックエンド_性能との戦い
colopl
0
120
噂の Amazon Bedrock を Java から使ってみる #javado
tacck
1
130
生成AIでシステム開発はどう変わるか
etaroid
12
3.7k
【Python東海#44】Pydroid3で画像処理
kazuhitotakahashi
0
190
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
150
Railsアプリをコスパよく読むための環境整備
ikumatadokoro
1
130
機械学習システム構築実践ガイド
shibuiwilliam
0
240
cloudflare-workersを使ってslack上に匿名チャットを作った話
sugawani
0
130
Snowflake x Terraformに自動テストを導入した話
kddisnowvillage
0
160
ソフトウェアの内部品質に生じる様々な問題は組織設計にその原因があることも多い / Internal Quality Issues Caused by Organizational Design
mtx2s
105
42k
ChatGPT for Developer - 超入門
dahatake
39
21k

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
420
62k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
Side Projects
sachag
450
39k
RailsConf 2023
tenderlove
0
340
Making Projects Easy
brettharned
105
5.2k
Debugging Ruby Performance
tmm1
68
11k
Clear Off the Table
cherdarchuk
81
300k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
We Have a Design System, Now What?
morganepeng
41
6.4k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
The Cult of Friendly URLs
andyhume
71
5.4k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k

Transcript

  1. Kingsly - The
    Cert Manager

    View Slide

  2. SSL Certificates
    2

    View Slide

  3. openssl way
    3

    View Slide

  4. openssl way
    4

    View Slide

  5. What just happened?
    1.
    5

    View Slide

  6. But will you really
    remember
    all that?
    6

    View Slide

  7. Problems with our
    approach so far
    ● No audit trail
    ● Wildcard certificates
    ● Sharing certs over
    email/slack
    ● Reactionary approach of
    renewing certs
    ● Certificate inventory
    ● Manual effort to generate
    certs
    7

    View Slide

  8. Features required
    ● Certificates stored in a
    central manner
    ● API to create/renew cert
    ● Automatic renewal of cert
    ● Centralised tracking
    8

    View Slide

  9. Enter Kingsly
    9

    View Slide

  10. Baby Steps
    10

    View Slide

  11. Request
    11
    Response

    View Slide

  12. What’s happening
    underneath?
    12

    View Slide

  13. 13

    View Slide

  14. Initial Admin Interface
    14

    View Slide

  15. Who gets to
    request certs?
    15

    View Slide

  16. Put it behind
    an HAProxy?
    16

    View Slide

  17. Problems with this approach
    17

    View Slide

  18. Identity Aware Proxy
    18

    View Slide

  19. 19

    View Slide

  20. Why IAP?
    ● Central authorization layer
    ● Application level access
    control
    ● Allows individual and group
    based access policies.
    ● Enforce HTTPs
    20

    View Slide

  21. Admin Cert
    request form
    21

    View Slide

  22. 22

    View Slide

  23. How do I deploy this?
    23

    View Slide

  24. 24

    View Slide

  25. Future
    ● Extend for client-bot for
    HAProxy, Envoy proxy
    ● Extend it to developers to be
    able to request development
    certs
    ● CRD to generate certs for
    applications inside k8s
    ● Expand support for AuthZ
    and AuthN
    25

    View Slide

  26. 26

    View Slide

  27. Links
    ● Release blog post
    ● github.com/gojekfarm/kingsly
    ● github.com/gojekfarm/kingsly-certbot
    ● github.com/gojekfarm/kingsly-certbot-cookbook
    ● github.com/gojekfarm/iap_auth
    ● github.com/gojekfarm/iap-auth-cookbook
    27

    View Slide

  28. 28
    @tasdikrahman
    tasdikrahman.me

    View Slide