amcginlay

Comparing cert-manager CSI drivers

You will see the following cert-manager CSI drivers side-by-side:

• csi-driver
• csi-driver-spiffe

Lightweight cluster creation

Create a disposable KinD cluster as follows.

amcginlay

Python Notes

Virtual Environments

Python virtual environments are used to create an isolated environment for Python projects. Each virtual environment has its own set of Python packages installed, separate from the global Python installation.

This helps provide:

• Dependency management
• Isolation

amcginlay

Using istio-csr with TLSPK

Download the tlspk-helper script and istioctl CLI.

curl -fsSLO https://venafi-ecosystem.s3.amazonaws.com/tlspk/v1/tlspk-helper.sh && chmod 700 tlspk-helper.sh
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.17.2 sh -
sudo mv istio-*/bin/istioctl /usr/local/bin

Create a local K8s cluster.

amcginlay

istio-mvp

Question: What's the absolute minimum I need to show Istio in action?

Create cluster.

kind create cluster --name istio-mvp --image kindest/node:v1.26.3

Install istioctl, run a precheck, install, then check status.

amcginlay

istio-traffic-shifting

This example shows a meshed app with a single frontend and a pair of backends (blue and green). A VirtualService is created to split the frontend->backend traffic 50/50 between blue and green.

Create cluster.

kind create cluster --name servicemesh --image kindest/node:v1.26.3

amcginlay

TLSPK Venafi Enhanced Issuer with TLSPC and Vault (v2)

NOTE: v2 of this walkthrough minimizes the use of jsctl and explicitly installs js-operator:v0.0.1-alpha.24 (via Helm) which has built in support for the latest version of VenafiEnhancedIssuer/VenafiConnection CRDs.

Terminology:

• TLSPK: TLS Protect for Kubernetes (previously Jetstack Secure or JSS)
• TLSPC: TLS Protect Cloud (previously Venafi as a Service or VaaS)
• TLSP: TLS Protect Data Centre (previously Venafi Trust Protection Platform or TPP)
• VEI: Venafi Enhanced Issuer (not to be confused with the native cert-manager issuer for Venafi)

amcginlay

Minimizing the use of jsctl

Minimizing the use of the jsctl CLI gives you more flexibility.

For example:

• You get to install whatever version of js-operator you desire
• You force yourself to get familiar with the controller's Installation manifest, which jsctl otherwise attempts to abstract away

Start cluster

amcginlay

Adventures in OpenShift (OKD on AWS)

Cloud9 Jumpbox

Create a Cloud9 jumpbox using Step 01-03 here. This box will sufficient AWS privileges, for example, EC2 and Route53.

Inspired by Installing a cluster quickly on AWS

Set base directory

amcginlay

TLSPK Venafi Enhanced Issuer with TLSPC and Vault

Terminology:

• TLSPK: TLS Protect for Kubernetes (previously Jetstack Secure or JSS)
• TLSPC: TLS Protect Cloud (previously Venafi as a Service or VaaS)
• TLSP: TLS Protect Data Centre (previously Venafi Trust Protection Platform or TPP)
• VEI: Venafi Enhanced Issuer (not to be confused with the native cert-manager issuer for Venafi)

cert-manager's native Venafi issuer requires Kubernetes secrets to hold Venafi credentials (e.g. API keys). Ideally you wish to eliminate the use of all secrets as these create a potential attack vector.

amcginlay

Smallstep cert-manager issuer with TLSPK

Create KinD cluster, connect to TLSPK and deploy enterprise cert-manager

k8s_name=kind-$(date +"%y%m%d%H%M")
cat <<EOF | kind create cluster --config -
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: ${k8s_name}
nodes: