niggl/kubecon24
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
kubecon24/content/day4/05_certmanager.md
Nicolai Ort 76ee14e667
talk links
2024-03-26 15:43:47 +01:00

80 lines
2.5 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Cryptographically Signed Swag: Cert-Managers Stamped Certificates"
weight: 5
tags:
- platform
- cert
- security
---
{{% button href="https://youtu.be/vEeyZcQuD_A" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}}
A talk by the cert manager maintainers that also staffed the cert manager booth.
Humor is present, but the main focus is still the technical integration
## Baseline
* Cert manager is the best™ way of getting certificates
* Poster features: Auto-renewal, ACME, PKI, HC Vault
* Numbers: 20M downloads 427 contributors 11.3 GitHub stars
* Currently on the graduation path
## History
* 2016: Jetstack created kube-lego -> A operator that generated LE certificates for ingress based on annotations
* 2o17: Cert manager launch -> Cert resources and issuer resources
* 2020: v1.0.0 and joined CNCF sandbox
* 2022: CNCF incubating
* 2024: Passed the CNCF security audit and on the way to graduation
## The booth works
### How it came to be
* The idea: Mix the digital certificate with the classical seal
* Started as the stamping idea to celebrate v1 and send contributors a thank you with candles
* Problems: Candles are not allowed -> Therefor glue gun
### How it works
* Components
* Raspberry Pi with k3s
* Printer
* Cert manager
* A Go-based Web-UI
* QR-Code: Contains link to certificate with private key
```mermaid
flowchart LR
ui(UI in go)-->|Generate cert ressource|kubeapi
kubeapi-->|Issue certificate|CertManager
CertManager-->|Certificate|ui
ui-->|print|Printer
```
### What is new this year
* Idea: Certs should be usable for TLS
* Solution: The QR-Code links to a zip-download with the cert and private key
* New: ECDSA for everything
* New: A stable root ca with intermediate for every conference
* New: Guestbook that can only be signed with a booth issued certificate -> Available via script
## Learnings
* This demo is just a private CA with cert manager -> Can be applied to any PKI-usecases
* The certificate can be created via the CR, CSI driver (create secret and mount in container), ingress annotations, ...
* You can use multiple different Issuers (CA Issuer aka PKI, Let's Encrypt, Vault, AWS, ...)
```mermaid
flowchart LR
ui-->|Input certificate subject details|CertManager
cai(CA Issuer)-->|Source for certificate|CertManager
CertManager-->|Creates|sr(Secret Ressource)
```
## Conclusion
* This is not just a demo -> Just apply it for machines
* They have regular meetings (daily stand-ups and bi-weekly)
Reference in New Issue View Git Blame Copy Permalink