Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Red Hat OpenShift / OpenShift Commons Gathering: Los Angeles 2021 / 3 Nov 2021
Red Hat OpenShift / OpenShift Commons Gathering: Los Angeles 2021 / 3 Nov 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Deploy a Service Mesh, Run mTLS everywhere Sitram Iver (Jetstack) OpenShift Commons Gathering 2021

Description

OpenShift Commons Gathering 2021
Lightning Talk: Deploy a Service Mesh, Run mTLS everywhere
Speaker: Sitram Iver (Jetstack)

https://commons.openshift.org/index.html#join

A

So I've been speaking for the last 18 months or so from my home on zoom. So thank you, michael for the opportunity to come, speak here and wear pants because I haven't been wearing pants for a long time now it's been an opportunity for me to really wear pants and speak um so just a quick way to sort of talk through what we do.

A

So we are jet stack, a company that sort of you know is behind the search manager project for those who don't know or those who have been using search manager for a long time.

A

This is essentially a way for you to to manage certificates within your openshift clusters, whether for your routes, whether for your ingresses, whether for your parts, whether for your you know mesh workloads, something that many of our customers have been using just as a little bit of a background search manager is an open source project. Completely sort of you know being used by a large number of users, large number of organizations.

A

Many of you here in this room and also online, probably use it so something that that will look forward for people to contribute also to extend and add more functionality.

A

So jet stack, like I said, is the company behind the search manager, project and um and over a period of you know the last couple of years, we've added a lot of enterprise features that is very relevant to many of our openshift customers, especially many of our large banks that work very closely with us, and then today I just want to sort of you know start with with a little high level of you know.

A

What is that you get from search manager, uh basically a bunch of crds that allow you to create this certificate resource that automatically manages your certificate request, with the ca that you configure something that we refer to as an issuer, so you can have you know either a built-in issuer that comes in or an external issuer that that you work with many other uh providers.

A

The idea is that, with this certificate request that manages the entire life cycle, you have a way to manage x4, x509 certificates and identities. For all of the services and applications that are deployed in your cluster, that's essentially, where sort of you know a lot of a lot of our organizations or a lot of the customers that we work with use it.

A

But many of you know there are a lot of a lot of places where certificates need to be managed in kubernetes um and in this session, which is a lightning round. I just wanted to sort of you know quickly, take a little bit of time, just talking, mostly in the context of a service mesh and and the reason why I wanted to talk in the context of service mesh.

A

Is you know, majority of our openshift customers today are rolling out service mesh either the the red hat service mesh, which is a little uh well with adapt service measure, also or also independently, rolling out the service mesh uh directly from his theorem simple way again, I don't want to bore you with this. You know what a service mesh is. There's a data plane, there's a proxy there's data occurring across it, but the one important thing that we focus on is that padlock and ensuring that you know there is a mesh workload.

A

Every mesh workload that you have is secured is sort of you know, uh identified with uh with the spiffy sand that is issued by and managed search manager.

A

So a simple idea, being you know, as you sort of you know, grow as you sort of you know manage your cluster, so there is a lot of need for ensuring uh making sure that you know there is zero trust between every single component that is running within the cluster ingress is securing ingresses is one thing, but you know also making sure that you know every single line of communication within your clusters, or also secured um and, uh and basically you could say all right. I've got this.

A

There got service mesh, it's got its built-in ca. Why do I need anything else, because I get everything else everything automatically with with a service mesh, because security is one of the three important things that a service mesh does fair question.

A

One of the things that many of the enterprises that we work with want to make sure is that the identity that is issued to the mesh workloads has its chain of trust established back to the ca that the organizations manage the pki teams manage the infosex manage because it's essentially the entire chain of trust that needs to be managed by the pki team. So we have this project called is theo csr. The search manager also has add-ons istio.

A

Csr is one of the open source project again, basically built with the idea of making sure that you know all of your istio workloads and control plane components are secured using cert manager, cert manager. Issuers that I talked about will sign and will deliver, will renew certificates uh facilitating mtls across the cluster?

A

One of this is the important thing you know when I said that you know why. Why do I need anything else when I have sdo so cert manager, essentially disables the sdrca server, and allows you to use cert manager with your ca with the organization's pki infrastructure that is in place to issue certificates and manage it?

A

Automatic renewal obviously is built into search manager and you get the benefit of automatically managing everything and every time application is destroyed, kill parts, the private key material and all of the the associated information about the secrets and everything is it's just gone so that way, you know every time a new workload is deployed. You get new certificates that ties back to the organization's ca, so jetstack secure is the enterprise offering that sort of you know ties it all together.

A

So, like I mentioned a lot of lot of big organizations, especially enterprises uh in addition to wanting cert manager, support enterprise support, also work with uh work with us to sort of you know manage their entire ecosystem of you know, tools that they use within their openshift environments.

A

Summary just just as a way to I know. Michael is looking at me and I'm gonna either run away from him with the mic and keep speaking or I'll have to give the mic back to him. One of those things will happen, but just as a way, you know want your help get engaged with us. You know we are on the kubernetes slack channel, assert manager, cert manager, tef, there's a lot of people. That sort of you know actively contribute um see us at booth. S52, that's where we are.

A

um We also have an after party come see us at the booth and we'll tell you where, when how get get drink with us so looking forward to meeting with you all, thank you so much thanks, michael.

A

You.