niggl/kubecon24
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

day4 talks

Browse Source
This commit is contained in:
Nicolai Ort
2024-03-22 15:23:38 +01:00
parent c178fe095c
commit f3715316b5
5 changed files with 170 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
content/day2/99_networking.md
View File

@@ -52,3 +52,7 @@ I should follow up
* The paid renovate offering now includes build failure estimation
* I was told not to buy it after telling the technical guy that we just use build pipelines as MR verification
### Certmanager
* The best swag (judged by coolness points)

55
content/day4/03_operator.md Normal file
View File

@@ -0,0 +1,55 @@
---
title: What's New in Operator Framework?
weight: 3
---
By the nice opertor framework guys at IBM and RedHat.
I'll skip the baseline introduction of what an operator is.
## Operator DSK
> Build the operator
* Kubebuilder with v4 Plugines -> Supports the latest Kubernetes
* Java Operator SDK is not a part of Operator SDK and they released 5.0.0
* Now with server side apply in the background
* Better status updates and finalizer handling
* Dependent ressource handling (alongside optional dependent ressources)
## Operator Liefecycle Manager
> Manage the operator -> A operator for installing operators
### OLM v1 APIs
* New API Set -> The old CRDs were overwhelming
* More GitOps friendly with per-tenant support
* Prediscribes update paths (maybe upgrade)
* Suport for operator bundels as k8s manifests/helmchart
### OLM v1 Components
* Cluster Extension (User-Facing API)
* Defines the app you want to install
* Resolvs requirements through catalogd/depply
* Catalogd (Catalog Server/Operator)
* Depply (Dependency/Contraint solver)
* Applier (Rukoak/kapp compatible)
```mermaid
flowchart TD
uapi(User facing api)-->|Can I find this operator|catalaogd
catalogd-->|Check if all dependencies are checked|depply
depply-->|Please install|kapp
```
```mermaid
flowchart LR
oa(operator author)-->ba(Bundle and att to catalog)
ba-->catalogd(Catalogd Handle unpackling)
user-->ufa(User facing api)
ufa-->|Resolve package|catalogd
ufa-->|Create app on cluster|appcr(App CR / kapps)
```

73
content/day4/05_certmanager.md Normal file
View File

@@ -0,0 +1,73 @@
---
title: "Cryptographically Signed Swag: Cert-Managers Stamped Certificates"
weight: 5
---
A talk by the certmanager maintainers that also staffed the certmanager booth.
Humor is present, but the main focus is still thetechnical integration
## Baseline
* Certmanager is the best™ way of getting certificats
* Poster features: Autorenewal, ACME, PKI, HC Vault
* Numbers: 20M downloads 427 contributors 11.3 GitHub stars
* Currently on the gratuation path
## History
* 2016: Jetstack created kube-lego -> A operator that generated LE certificates for ingress based on annotations
* 2o17: Certmanager launch -> Cert ressources and issuer ressources
* 2020: v1.0.0 and joined CNCF sandbox
* 2022: CNCF incubating
* 2024: Passed the CNCF security audit and on the way to graduation
## The booth works
### How it came to be
* The idea: Mix the digital certificate with the classical seal
* Started as the stamping idea to celebrate v1 and send contributors a thank you with candels
* Problems: Candels are not allowed -> Therefor glue gun
### How it works
* Components
* RASPI with k3s
* Printer
* Certmanager
* A go-based webui
* QR-Code: Contains link to certificate with privatekey
```mermaid
flowchart LR
ui(UI in go)-->|Generate cert ressource|kubeapi
kubeapi-->|Issue certificate|CertManager
CertManager-->|Certificate|ui
ui-->|print|Printer
```
### What is new this year
* Idea: Certs should be usable for TLS
* Solution: The QR-Code links to a zip-download with the cert and provate key
* New: ECDSA for everything
* New: A stable root ca with intermediate for every conference
* New: Guestbook that can only be signed with a booth issued certificate -> Available via script
## Learnings
* This demo is just a private CA with certmanager -> Can be applied to any PKI-usecase
* The certificate can be created via the CR, CSI driver (create secret and mount in container), ingress annotations, ...
* You can use multiple different Issuers (CA Issuer aka PKI, Let's Encrypt, Vault, AWS, ...)
```mermaid
flowchart LR
ui-->|Input certificate subject details|CertManager
cai(CA Issuer)-->|CertManager|Souurce for certificate
CertManager-->|Creates|sr(Secret Ressource)
```
## Conclusion
* This is not just a demo -> Just apply it for machines
* They have regular meetings (daily standups and bi-weekly)

34
content/day4/99_networking.md Normal file
View File

@@ -0,0 +1,34 @@
---
title: Networking
weight: 99
---
Who have I talked to today, are there any follow-ups or learnings?
## Fastly
* They were nice and are always up to talk if we ever need something
## Ozone
{{% notice style="note" %}}
They will follow up with a quick demo
{{% /notice %}}
* A interesting tektone-based CI/CD solutions that also integrates with oter platforms
* May be interesting for either ODIT or some of our customers
## Docker
* Talked to one salesperson just aboput the general conference
* Talked to one technical guy about docker buildtime optimization
## Rancher/Suse
* I just got some swag, Maik got a demo focussing on runtime security
## Kong
* They didn't have any Insomina stickers and the insomnia guy apparently already left
## Planetscale

6
content/day4/_index.md
View File

@@ -1,4 +1,6 @@
---
archetype: chapter
title: template
---
title: Day 4
---
The last day with a limited sponsor expo (10:00-14:30) and a bunch of people on the move (not me)