We were discussing keys and certificates. The keystore and truststore can be one and the same if the connections are internal. In this case, the client and the server share the same key-certificate. On the other hand, mutual authentication is one where the server and the client present different certificates. In this sequence of message exchanges for mutual authentication between the server and the client, the server initiates the messages. First, the server sends hello message. Next it sends the certificate, followed by a request to get the client’s certificate and lastly the server-side hello done message. The client responds first with its certificate. Then it sends the session key with the client key exchange message. Then it sends the certificate verify message and changes the cipher spec. Lastly it sends the client-side finished message. The server closes the mutual authentication with the cipher changed message and the server-side finished message.
There are packages that can manage certificates to secure ingress and these include certificates of different types or from different issuers. The certificates can be self-signed; however, they do not make keystores and truststores. The usefulness of these packages is that they provide a centralized mechanism for managing the certificates. In a Kubernetes cluster, this can be deployed to its own pod. All the certificates required can then be generated from the cert-manager.
Certificates can be from different issuers. ACME issuer supports certificates from its server. CA supports issuing certificates using a signing key pair. Vault supports issuing certificates using a common vault. Self-signed certificates are issued privately. Venafi certificates supports issuing certificate from a cloud or a platform instance.
Although Kubernetes manages the secrets, a consolidator can help with specific secret types. The libraries for this such as cert-manager are quite popular and well documented. The use of libraries also brings down the code in the application to manage these specific types of secrets. The external dependencies for generating secrets are similar to any other dependency in the application code so these can be registered and maintained in one registry.
No comments:
Post a Comment