niggl
/
kubecon24
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
kubecon24/content/day4/05_certmanager.md

2.5 KiB
Raw Blame History

title weight tags
Cryptographically Signed Swag: Cert-Managers Stamped Certificates 5
platform
cert
security

{{% button href="https://youtu.be/vEeyZcQuD_A" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}}

A talk by the cert manager maintainers that also staffed the cert manager booth. Humor is present, but the main focus is still the technical integration

Baseline

  • Cert manager is the best™ way of getting certificates
  • Poster features: Auto-renewal, ACME, PKI, HC Vault
  • Numbers: 20M downloads 427 contributors 11.3 GitHub stars
  • Currently on the graduation path

History

  • 2016: Jetstack created kube-lego -> A operator that generated LE certificates for ingress based on annotations
  • 2o17: Cert manager launch -> Cert resources and issuer resources
  • 2020: v1.0.0 and joined CNCF sandbox
  • 2022: CNCF incubating
  • 2024: Passed the CNCF security audit and on the way to graduation

The booth works

How it came to be

  • The idea: Mix the digital certificate with the classical seal
  • Started as the stamping idea to celebrate v1 and send contributors a thank you with candles
  • Problems: Candles are not allowed -> Therefor glue gun

How it works

  • Components
    • Raspberry Pi with k3s
    • Printer
    • Cert manager
    • A Go-based Web-UI
  • QR-Code: Contains link to certificate with private key
flowchart LR
    ui(UI in go)-->|Generate cert ressource|kubeapi
    kubeapi-->|Issue certificate|CertManager
    CertManager-->|Certificate|ui
    ui-->|print|Printer

What is new this year

  • Idea: Certs should be usable for TLS
  • Solution: The QR-Code links to a zip-download with the cert and private key
  • New: ECDSA for everything
  • New: A stable root ca with intermediate for every conference
  • New: Guestbook that can only be signed with a booth issued certificate -> Available via script

Learnings

  • This demo is just a private CA with cert manager -> Can be applied to any PKI-usecases
  • The certificate can be created via the CR, CSI driver (create secret and mount in container), ingress annotations, ...
  • You can use multiple different Issuers (CA Issuer aka PKI, Let's Encrypt, Vault, AWS, ...)
flowchart LR
    ui-->|Input certificate subject details|CertManager
    cai(CA Issuer)-->|Source for certificate|CertManager
    CertManager-->|Creates|sr(Secret Ressource)

Conclusion

  • This is not just a demo -> Just apply it for machines
  • They have regular meetings (daily stand-ups and bi-weekly)