►
From YouTube: Deploy a Service Mesh, Run mTLS everywhere Sitram Iver (Jetstack) OpenShift Commons Gathering 2021
Description
OpenShift Commons Gathering 2021
Lightning Talk: Deploy a Service Mesh, Run mTLS everywhere
Speaker: Sitram Iver (Jetstack)
https://commons.openshift.org/index.html#join
A
So
I've
been
speaking
for
the
last
18
months
or
so
from
my
home
on
zoom.
So
thank
you,
michael
for
the
opportunity
to
come,
speak
here
and
wear
pants
because
I
haven't
been
wearing
pants
for
a
long
time
now
it's
been
an
opportunity
for
me
to
really
wear
pants
and
speak
so
just
a
quick
way
to
sort
of
talk
through
what
we
do.
A
This
is
essentially
a
way
for
you
to
to
manage
certificates
within
your
openshift
clusters,
whether
for
your
routes,
whether
for
your
ingresses,
whether
for
your
parts,
whether
for
your
you
know
mesh
workloads,
something
that
many
of
our
customers
have
been
using
just
as
a
little
bit
of
a
background
search
manager
is
an
open
source
project.
Completely
sort
of
you
know
being
used
by
a
large
number
of
users,
large
number
of
organizations.
A
So
jet
stack,
like
I
said,
is
the
company
behind
the
search
manager,
project
and
and
over
a
period
of
you
know
the
last
couple
of
years,
we've
added
a
lot
of
enterprise
features
that
is
very
relevant
to
many
of
our
openshift
customers,
especially
many
of
our
large
banks
that
work
very
closely
with
us,
and
then
today
I
just
want
to
sort
of
you
know
start
with
with
a
little
high
level
of
you
know.
A
What
is
that
you
get
from
search
manager,
basically
a
bunch
of
crds
that
allow
you
to
create
this
certificate
resource
that
automatically
manages
your
certificate
request,
with
the
ca
that
you
configure
something
that
we
refer
to
as
an
issuer,
so
you
can
have
you
know
either
a
built-in
issuer
that
comes
in
or
an
external
issuer
that
that
you
work
with
many
other
providers.
A
The
idea
is
that,
with
this
certificate
request
that
manages
the
entire
life
cycle,
you
have
a
way
to
manage
x4,
x509
certificates
and
identities.
For
all
of
the
services
and
applications
that
are
deployed
in
your
cluster,
that's
essentially,
where
sort
of
you
know
a
lot
of
a
lot
of
our
organizations
or
a
lot
of
the
customers
that
we
work
with
use
it.
A
But
many
of
you
know
there
are
a
lot
of
a
lot
of
places
where
certificates
need
to
be
managed
in
kubernetes
and
in
this
session,
which
is
a
lightning
round.
I
just
wanted
to
sort
of
you
know
quickly,
take
a
little
bit
of
time,
just
talking,
mostly
in
the
context
of
a
service
mesh
and
and
the
reason
why
I
wanted
to
talk
in
the
context
of
service
mesh.
A
Is
you
know,
majority
of
our
openshift
customers
today
are
rolling
out
service
mesh
either
the
the
red
hat
service
mesh,
which
is
a
little
well
with
adapt
service
measure,
also
or
also
independently,
rolling
out
the
service
mesh
directly
from
his
theorem
simple
way
again,
I
don't
want
to
bore
you
with
this.
You
know
what
a
service
mesh
is.
There's
a
data
plane,
there's
a
proxy
there's
data
occurring
across
it,
but
the
one
important
thing
that
we
focus
on
is
that
padlock
and
ensuring
that
you
know
there
is
a
mesh
workload.
A
Every
mesh
workload
that
you
have
is
secured
is
sort
of
you
know,
identified
with
with
the
spiffy
sand
that
is
issued
by
and
managed
search
manager.
A
So
a
simple
idea,
being
you
know,
as
you
sort
of
you
know,
grow
as
you
sort
of
you
know
manage
your
cluster,
so
there
is
a
lot
of
need
for
ensuring
making
sure
that
you
know
there
is
zero
trust
between
every
single
component
that
is
running
within
the
cluster
ingress
is
securing
ingresses
is
one
thing,
but
you
know
also
making
sure
that
you
know
every
single
line
of
communication
within
your
clusters,
or
also
secured
and,
and
basically
you
could
say
all
right.
I've
got
this.
A
A
One
of
the
things
that
many
of
the
enterprises
that
we
work
with
want
to
make
sure
is
that
the
identity
that
is
issued
to
the
mesh
workloads
has
its
chain
of
trust
established
back
to
the
ca
that
the
organizations
manage
the
pki
teams
manage
the
infosex
manage
because
it's
essentially
the
entire
chain
of
trust
that
needs
to
be
managed
by
the
pki
team.
So
we
have
this
project
called
is
theo
csr.
The
search
manager
also
has
add-ons
istio.
A
Csr
is
one
of
the
open
source
project
again,
basically
built
with
the
idea
of
making
sure
that
you
know
all
of
your
istio
workloads
and
control
plane
components
are
secured
using
cert
manager,
cert
manager.
Issuers
that
I
talked
about
will
sign
and
will
deliver,
will
renew
certificates
facilitating
mtls
across
the
cluster?
A
One
of
this
is
the
important
thing
you
know
when
I
said
that
you
know
why.
Why
do
I
need
anything
else
when
I
have
sdo
so
cert
manager,
essentially
disables
the
sdrca
server,
and
allows
you
to
use
cert
manager
with
your
ca
with
the
organization's
pki
infrastructure
that
is
in
place
to
issue
certificates
and
manage
it?
A
Automatic
renewal
obviously
is
built
into
search
manager
and
you
get
the
benefit
of
automatically
managing
everything
and
every
time
application
is
destroyed,
kill
parts,
the
private
key
material
and
all
of
the
the
associated
information
about
the
secrets
and
everything
is
it's
just
gone
so
that
way,
you
know
every
time
a
new
workload
is
deployed.
You
get
new
certificates
that
ties
back
to
the
organization's
ca,
so
jetstack
secure
is
the
enterprise
offering
that
sort
of
you
know
ties
it
all
together.
A
So,
like
I
mentioned
a
lot
of
lot
of
big
organizations,
especially
enterprises
in
addition
to
wanting
cert
manager,
support
enterprise
support,
also
work
with
work
with
us
to
sort
of
you
know
manage
their
entire
ecosystem
of
you
know,
tools
that
they
use
within
their
openshift
environments.
A
Summary
just
just
as
a
way
to
I
know.
Michael
is
looking
at
me
and
I'm
gonna
either
run
away
from
him
with
the
mic
and
keep
speaking
or
I'll
have
to
give
the
mic
back
to
him.
One
of
those
things
will
happen,
but
just
as
a
way,
you
know
want
your
help
get
engaged
with
us.
You
know
we
are
on
the
kubernetes
slack
channel,
assert
manager,
cert
manager,
tef,
there's
a
lot
of
people.
That
sort
of
you
know
actively
contribute
see
us
at
booth.
S52,
that's
where
we
are.