2.5 KiB
2.5 KiB
title | weight | tags | |||
---|---|---|---|---|---|
Cryptographically Signed Swag: Cert-Manager’s Stamped Certificates | 5 |
|
{{% button href="https://youtu.be/vEeyZcQuD_A" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}}
A talk by the cert manager maintainers that also staffed the cert manager booth. Humor is present, but the main focus is still the technical integration
Baseline
- Cert manager is the best™ way of getting certificates
- Poster features: Auto-renewal, ACME, PKI, HC Vault
- Numbers: 20M downloads 427 contributors 11.3 GitHub stars
- Currently on the graduation path
History
- 2016: Jetstack created kube-lego -> A operator that generated LE certificates for ingress based on annotations
- 2o17: Cert manager launch -> Cert resources and issuer resources
- 2020: v1.0.0 and joined CNCF sandbox
- 2022: CNCF incubating
- 2024: Passed the CNCF security audit and on the way to graduation
The booth works
How it came to be
- The idea: Mix the digital certificate with the classical seal
- Started as the stamping idea to celebrate v1 and send contributors a thank you with candles
- Problems: Candles are not allowed -> Therefor glue gun
How it works
- Components
- Raspberry Pi with k3s
- Printer
- Cert manager
- A Go-based Web-UI
- QR-Code: Contains link to certificate with private key
flowchart LR
ui(UI in go)-->|Generate cert ressource|kubeapi
kubeapi-->|Issue certificate|CertManager
CertManager-->|Certificate|ui
ui-->|print|Printer
What is new this year
- Idea: Certs should be usable for TLS
- Solution: The QR-Code links to a zip-download with the cert and private key
- New: ECDSA for everything
- New: A stable root ca with intermediate for every conference
- New: Guestbook that can only be signed with a booth issued certificate -> Available via script
Learnings
- This demo is just a private CA with cert manager -> Can be applied to any PKI-usecases
- The certificate can be created via the CR, CSI driver (create secret and mount in container), ingress annotations, ...
- You can use multiple different Issuers (CA Issuer aka PKI, Let's Encrypt, Vault, AWS, ...)
flowchart LR
ui-->|Input certificate subject details|CertManager
cai(CA Issuer)-->|Source for certificate|CertManager
CertManager-->|Creates|sr(Secret Ressource)
Conclusion
- This is not just a demo -> Just apply it for machines
- They have regular meetings (daily stand-ups and bi-weekly)