niggl/kubecon24
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bafbb46f52
kubecon24/content/day4/05_certmanager.md
Nicolai Ort bafbb46f52
added tags
2024-03-25 13:45:10 +01:00

78 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Cryptographically Signed Swag: Cert-Managers Stamped Certificates"
weight: 5
tags:
- platform
- cert
- security
---
A talk by the certmanager maintainers that also staffed the certmanager booth.
Humor is present, but the main focus is still thetechnical integration
## Baseline
* Certmanager is the best™ way of getting certificats
* Poster features: Autorenewal, ACME, PKI, HC Vault
* Numbers: 20M downloads 427 contributors 11.3 GitHub stars
* Currently on the gratuation path
## History
* 2016: Jetstack created kube-lego -> A operator that generated LE certificates for ingress based on annotations
* 2o17: Certmanager launch -> Cert ressources and issuer ressources
* 2020: v1.0.0 and joined CNCF sandbox
* 2022: CNCF incubating
* 2024: Passed the CNCF security audit and on the way to graduation
## The booth works
### How it came to be
* The idea: Mix the digital certificate with the classical seal
* Started as the stamping idea to celebrate v1 and send contributors a thank you with candels
* Problems: Candels are not allowed -> Therefor glue gun
### How it works
* Components
* RASPI with k3s
* Printer
* Certmanager
* A go-based webui
* QR-Code: Contains link to certificate with privatekey
```mermaid
flowchart LR
ui(UI in go)-->|Generate cert ressource|kubeapi
kubeapi-->|Issue certificate|CertManager
CertManager-->|Certificate|ui
ui-->|print|Printer
```
### What is new this year
* Idea: Certs should be usable for TLS
* Solution: The QR-Code links to a zip-download with the cert and provate key
* New: ECDSA for everything
* New: A stable root ca with intermediate for every conference
* New: Guestbook that can only be signed with a booth issued certificate -> Available via script
## Learnings
* This demo is just a private CA with certmanager -> Can be applied to any PKI-usecase
* The certificate can be created via the CR, CSI driver (create secret and mount in container), ingress annotations, ...
* You can use multiple different Issuers (CA Issuer aka PKI, Let's Encrypt, Vault, AWS, ...)
```mermaid
flowchart LR
ui-->|Input certificate subject details|CertManager
cai(CA Issuer)-->|Source for certificate|CertManager
CertManager-->|Creates|sr(Secret Ressource)
```
## Conclusion
* This is not just a demo -> Just apply it for machines
* They have regular meetings (daily standups and bi-weekly)
Reference in New Issue View Git Blame Copy Permalink