Tim Ramlot
Senior Software Engineer at CyberArk
Lochristi, Belgium
Actions
Tim started working at CyberArk as a software engineer after his graduation as computer science engineer at Ghent University. He learned about cert-manager and CyberArk through a Google Summer of Code internship. His mission at CyberArk is to advance his problem solving skills, whilst contributing to the growth of the company and the OSS community. When he is not behind his laptop, he likes hiking and spending time with friends and family.
Area of Expertise
Topics
SPIFFE the Easy Way: universal x509 and JWT identities using cert-manager
SPIFFE is incredible. Each workload is assigned its own universal identity, simplifying the security and management of communications in distributed systems. While SPIRE (the reference SPIFFE implementation) is exceptionally powerful, it is also quite complex. Deploying SPIRE on Kubernetes requires StatefulSets, which can be challenging and frustrating.
Many cloud vendors are starting to offer turnkey SPIFFE solutions, but that comes with risk of vendor lock-in. In this talk, we will demonstrate how to use the Cloud Native cert-manager solution to implement SPIFFE (x509 and JWT) with low operational overhead for all Kubernetes workloads.
The session includes all you need to know to issue X.509 SVIDs, use them and validate them. Additionally, we will introduce an experimental solution to convert x509 SVIDs into JWT SVIDs. The demo will highlight how to authenticate to third-party APIs (such as AWS, GCP, Azure, and others) using these JWT SVIDs.
How We Solved TLS at Scale: Self-Service, Multi-Tenant cert-manager
cert-manager is an open-source X.509 certificate controller for Kubernetes, designed to automate certificate management. In this session, we’ll explore how to configure cert-manager and its subprojects for large-scale certificate management.
At the scale of our production setup, managing and requesting certificates cannot be centralized and self-service is required. A self-service multi-tenant setup requires isolation between tenants, must support tenant-specific trust, and must be able to enforce security policies at scale.
We'll make use of key cert-manager subprojects including trust-manager, approver-policy, and csi-driver to simplify these challenges. You’ll walk away knowing how to use cert-manager in multi-tenant setups, leaving you free to focus on your all-important business logic!
Best friends keep no secrets: going secretless with cert-manager
In today's complex Kubernetes environments, managing secrets securely is a challenge. Traditional methods often involve complex configurations with secret vaults, secret syncing and secret backups. Regardless of which fancy technology is used, secrets always come with a risk of being leaked.
Most of the secrets used in traditional applications can be replaced by short-lived certificates. Applications can prove to be the owner of a certificate without sharing any secrets. In Kubernetes, cert-manager can be used to provision these certificates to all applications without sharing any secret information.
Table of contents:
- Do we actually need secrets? Comparing authentication methods: static secrets vs short-lived secrets and proof of ownership
- How to issue certificates using cert-manager without using [S|s]ecrets
- Compatibility and other challenges
Project Maintainers Explain cert-manager in 5 Levels of Difficulty
Discover the depths of cert-manager as project maintainers unveil its intricacies across five levels of difficulty.
Gain insights into available features, use cases, and best practices.
From beginners to experts, this talk equips you to conquer cert-manager with confidence.
Level 1: Obtain TLS certificates from pre-configured issuers using Ingress/ Gateway annotations.
Level 2: Configure ACME Issuers and generate Secrets with private key + certificate chain using Certificate resources.
Level 3: Issue certificates from private PKIs and distribute CAs with trust-manager.
Level 4: Start using CSI-drivers and approver-policy plugins.
Level 5: Develop custom issuers, CSI-drivers, or approver-policy plugins.
Cryptographically Signed Swag: cert-manager’s Stamped Certificates
It’s the hottest KubeCon swag on the block: printed, wax-stamped X.509 certificates to take home and show off.
Since we started issuing these little certs in KubeCon Valencia back in May 2022, the cert-manager project pavilion booth has been a smash-hit success - in Chicago last year we issued so many certs that we ran out of wax!
But there’s more to the story than just the swag; these certs are issued on a local Kubernetes cluster running cert-manager, and the story of how we went from a concept to a certificate in your hand is interesting and illustrative for cert-manager as a project, generally!
In this talk we'll discuss:
- How we got to this point: a brief history of cert-manager.
- The technical stuff: how does the KubeCon certificate printer work?
- What's new: exciting changes since last year!
- What we can learn: how the same technology is used to secure critical infrastructure around the world!
Project Lightning Talk + Maintainer Track + Contribfest: KubeCon + CloudNativeCon Europe 2025 Sessionize Event
KubeCon + CloudNativeCon North America 2024 Sessionize Event
Project Lightning Talk + ContribFest + Maintainer Track: KubeCon + CloudNativeCon North America 2024 Sessionize Event
Maintainer Track + ContribFest: KubeCon + CloudNativeCon Europe 2024 Sessionize Event
KubeCon + CloudNativeCon North America 2023 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top