ssl automation for conventional systems

A problem not often considered by engineers operating in "cloud native" or "container native" environments is that of SSL certificate management at scale.

In platforms like Kubernetes, certificates, keys, CSRs - these are all first class resources and are managed through configuration and automation.

But in traditional systems, the certificate management is often done manually. If you're lucky, you may be able to install something like certbot to automatically provision certs directly to the server, but in internal networks, or in environments where certificates are managed and issued centrally, this is not possible. Additionally, you may not want to give every edge server the ability to modify your DNS for DNS-01 challeges, and network security policies may prevent you ingressing plaintext port 80 traffic for /.well-known HTTP validation.

If you've found yourself in this situation you may have resigned yourself to manually managing just a few certs a year, and checking your calendar reminders to ensure you don't forget to renew them.

You may have looked on at the certificate automation in Kubernetes, where certificates can be defined in a YAML file deployed through an automation pipeline, and certificates are automatically attached to load balancers and WAF providers as needed.

Well you can finally say goodbye to frantic midnight certificate renewals and re-installs.

cert-manager-sync

I've previously mentioned cert-manager-sync, a k8s operator which operates in conjunction with cert-manager to manage certificates and synchronize them to supported downstream clients on any updates.

For container-native systems, this is useful to synchronize the origin certificates with WAF providers, but the ACM and Vault providers make it useful for managing certificates outside of the k8s cluster as well.

managing external certificates

While Kubernetes-native tools themselves, cert-manager and cert-manager-sync are just responsible to managing certificates - there is nothing dictating that those certs must be applied to the cluster itself.

cert-manager-sync can push certificates to AWS ACM which allows them to be attached to API Gateways, Cloudfronts, and other AWS-native resources.

cert-manager-sync can also push certificates to HashiCorp Vault. Vault is a highly-available, highly-scalable, and highly-secure key-value store.

vault-ssl-sync

With cert-manager-sync handling the synchronization of the certificates to Vault, vault-ssl-sync is a small cross-platform binary that can retrieve updated certificates from Vault, update them on disk, and restart any required services that are using the certificates.

We can configure vault-ssl-sync to run on a schedule, so it will periodically connect to Vault, check if the certs have changed, and if so, update the certs locally and then restart our webserver.

We now have a complete SSL automation pipeline, not only for our container native environments, but also our traditional systems and VMs.

Now delete those calendar reminders and let's get to the good stuff.

last updated 2022-03-22T20:16:42-0700