78 lines
2.3 KiB
Markdown
78 lines
2.3 KiB
Markdown
---
|
||
title: "Cryptographically Signed Swag: Cert-Manager’s Stamped Certificates"
|
||
weight: 5
|
||
tags:
|
||
- platform
|
||
- cert
|
||
- security
|
||
---
|
||
|
||
A talk by the certmanager maintainers that also staffed the certmanager booth.
|
||
Humor is present, but the main focus is still thetechnical integration
|
||
|
||
## Baseline
|
||
|
||
* Certmanager is the best™ way of getting certificats
|
||
* Poster features: Autorenewal, ACME, PKI, HC Vault
|
||
* Numbers: 20M downloads 427 contributors 11.3 GitHub stars
|
||
* Currently on the gratuation path
|
||
|
||
## History
|
||
|
||
* 2016: Jetstack created kube-lego -> A operator that generated LE certificates for ingress based on annotations
|
||
* 2o17: Certmanager launch -> Cert ressources and issuer ressources
|
||
* 2020: v1.0.0 and joined CNCF sandbox
|
||
* 2022: CNCF incubating
|
||
* 2024: Passed the CNCF security audit and on the way to graduation
|
||
|
||
## The booth works
|
||
|
||
### How it came to be
|
||
|
||
* The idea: Mix the digital certificate with the classical seal
|
||
* Started as the stamping idea to celebrate v1 and send contributors a thank you with candels
|
||
* Problems: Candels are not allowed -> Therefor glue gun
|
||
|
||
### How it works
|
||
|
||
* Components
|
||
* RASPI with k3s
|
||
* Printer
|
||
* Certmanager
|
||
* A go-based webui
|
||
* QR-Code: Contains link to certificate with privatekey
|
||
|
||
```mermaid
|
||
flowchart LR
|
||
ui(UI in go)-->|Generate cert ressource|kubeapi
|
||
kubeapi-->|Issue certificate|CertManager
|
||
CertManager-->|Certificate|ui
|
||
ui-->|print|Printer
|
||
```
|
||
|
||
### What is new this year
|
||
|
||
* Idea: Certs should be usable for TLS
|
||
* Solution: The QR-Code links to a zip-download with the cert and provate key
|
||
* New: ECDSA for everything
|
||
* New: A stable root ca with intermediate for every conference
|
||
* New: Guestbook that can only be signed with a booth issued certificate -> Available via script
|
||
|
||
## Learnings
|
||
|
||
* This demo is just a private CA with certmanager -> Can be applied to any PKI-usecase
|
||
* The certificate can be created via the CR, CSI driver (create secret and mount in container), ingress annotations, ...
|
||
* You can use multiple different Issuers (CA Issuer aka PKI, Let's Encrypt, Vault, AWS, ...)
|
||
|
||
```mermaid
|
||
flowchart LR
|
||
ui-->|Input certificate subject details|CertManager
|
||
cai(CA Issuer)-->|Source for certificate|CertManager
|
||
CertManager-->|Creates|sr(Secret Ressource)
|
||
```
|
||
|
||
## Conclusion
|
||
|
||
* This is not just a demo -> Just apply it for machines
|
||
* They have regular meetings (daily standups and bi-weekly)
|