Key Venafi Integrations
Devops already have a lot of work to do and require expertise in cryptography and public key infrastructure (PKI). It is not right.
Indeed, each machine must have a valid TLS certificate. They are needed for servers, containers, virtual machines, in service meshes. But the number of keys and certificates is snowballing, and management quickly becomes chaotic, costly, and risky if you do it yourself. In the absence of good policy enforcement and monitoring practices, business can suffer from weak certificates or unexpected expiration.
GlobalSign and Venafi hosted two webcasts to help devops. , and the second with on connecting a PKI system from GlobalSign through the Venafi cloud using open source tools through HashiCorp Vault from the Jenkins CI / CD pipeline.
The main problems of existing certificate management processes are caused by a large number of procedures:
- Generating self-signed certificates in OpenSSL.
- Work with multiple HashiCorp Vault instances to manage a private CA or self-signed certificates.
- Registration of applications for trusted certificates.
- Using certificates from public cloud providers.
- Let's Encrypt certificate renewal automation
- Writing your own scripts
- Self-configuring DevOps tools like Red Hat Ansible, Kubernetes, Pivotal Cloud Foundry
All procedures increase the risk of error and take a lot of time. Venafi is trying to solve these problems and make life easier for devops.
The GlobalSign and Venafi demo consists of two sections. First, how to set up Venafi Cloud and GlobalSign PKI. Then, how to use it to request certificates according to established policies using familiar tools.
Key topics:
- Automate certificate issuance within existing DevOps CI/CD practices (e.g. Jenkins).
- Instant access to PKI and certificate services across the entire application stack (issuing certificates within two seconds)
- Standardization of public key infrastructure with ready-made solutions for integration with container orchestration, secret management and automation platforms (for example, Kubernetes, OpenShift, Terraform, HashiCorp Vault, Ansible, SaltStack and others). The general scheme for issuing certificates is shown in the illustration below.
Certificate issuance scheme through HashiCorp Vault, Venafi Cloud and GlobalSign. In the diagram, CSR stands for "Certificate Signing Request" - High throughput and robust PKI infrastructure for dynamic, highly scalable environments
- Use of security groups through policies and visibility of issued certificates
This approach allows you to organize a reliable system without being an expert in cryptography and PKI.
Venafi Secrets Engine
Venafi even assures that this is a more cost-effective solution in the long run, since it does not require the involvement of highly paid PKI specialists and support costs.
The solution is fully integrated into the existing CI / CD pipeline and covers all the needs of the company in certificates. Thus, developers and devops can work faster and not have to deal with difficult cryptographic issues.
Source: habr.com