Altitude San Francisco 2018: Bringing TLS to GitHub Pages

•

0 likes•166 views

Sam Kottler, SRE Engineering Manager at GitHub will dig into how they rearchitected Pages, so that custom domains now support HTTPS, meaning over a million GitHub Pages sites will be served over HTTPS.

Technology

Sam Kottler + Jacob Hoffman-Andrews
September 13, 2018
Bringing TLS to
GitHub Pages

We’ll Cover
• What is GitHub Pages?
• Previous architecture and desired improvements
• Introducing TLS support with Let’s Encrypt
• Let’s Encrypt overview

skottler.github.io
github.com/skottler/skottler.github.io

Previous Architecture
and Desired
Improvements

Target Improvements
• Support TLS for users across github.io and custom
domains
• Serve all user traffic via the CDN for consistent
performance
• Transition users across CNAME/ALIAS/A records to a
dedicated set of IPs

Introducing TLS
support with Let’s
Encrypt

Certiﬁcate management
• State machine manages cert lifecycle
• Fastly implemented storage for hundreds of 1ks of certs
• Certificates for existing custom domains got backfilled

Let’s Encrypt
• Certificate authority
• ACME protocol *
* https://ietf-wg-acme.github.io/acme/

Let’s Encrypt
* https://ietf-wg-acme.github.io/acme/
Goal: Encrypt the entire Web

Let’s Encrypt
* https://ietf-wg-acme.github.io/acme/
Automated, Easy, Free: Pick all three

Let’s Encrypt
* https://ietf-wg-acme.github.io/acme/
ACME: A standard API for certiﬁcate issuance

ACME Issuance Overview
* https://ietf-wg-acme.github.io/acme/

ACME Challenge Types
* https://ietf-wg-acme.github.io/acme/
• HTTP: Put a special file on your Web server
• DNS: Provision a DNS record for your domain
• ALPN: Validate domain control at TLS level alone

By the numbers
* https://ietf-wg-acme.github.io/acme/
● GitHub integration: 4 million certificates
● Overall: 82 million active certificates
● 129 million active domains
● Issuing 900,000 new certificates per day

Big Thanks To Sponsors and Donors
* https://ietf-wg-acme.github.io/acme/
● Fastly
● GitHub
● And You!

skottler@github.com
@samkottler
jsha@letsencrypt.org
@j4cob

說明Kubernetes網路層架構與設計, 包括Kubernetes在不同節點上容器和容器之間的溝通。老實說，Kubernetes網路介面的概念都是很抽象的。甚至對很多不清楚網路架構的人來說也很難快速就搞的懂。對大多數的開發者而言，並不需要自己去實作這些虛擬網路技術，但是理解kubernets的overlay網路概念是必須的。因為pod網絡地址會顯示在很多Kubernetes的日誌中。因此在做調試或解決問題時，在某些情況下，我們會需要明確定義網路由(network route)或是追縱路由。這個時候，對Kubernetes “pod網路”的理解將會讓我們從混沌不明中得到解決問題的曙光。 Youtube: https://youtu.be/8DH_oB6D3vc

CNCF explore k8s api using java client

Erhwen Kuo

透過K8S的API來設計工具或應用程式 (Java) 使用官方版本的Kubernetes客戶端框架創建一個構建簡單但功能強大的工具範例: PVCWatch 本文件將聚焦在介紹如何使用Java程式語言的客戶端。為了說明這些客戶端框架的用法，我們將創建一個簡單的CLI工具這個工具PVCWatch會監視與計算K8S群集中PVC (Persistent Volume Claim)的使用總量, 並檢查它是否達到指定閥值當總量達到閥值時，它會採取一個動作（在這個例子中，會在console上打印出一個簡單的通知） Youtube: https://youtu.be/EJr_NWzZdKc Github: https://github.com/erhwenkuo/k8s-client-java-examples

How we scale DroneCi on demand

Patrick Jahns

We are sharing our process of migrating to the container based DroneCI platform and our lessons learned when scaling it up for an active open source project like ownCloud. Our journey started with a static legacy CI system, which was gradually replaced with, at first, a static DroneCI infrastructure. Over the course of half a year, we further more migrated to a cloud provider in order to dynamically scale the CI system based on the build volume. The lessons learned during this journey, were transformed and contributed to the DroneCI project and resulted in the DroneCI autoscaler - which allows for automatic scaling of infrastructure resources with common cloud providers.

Kubernetes Security

inovex GmbH

Kubernetes is more or less one of the biggest players when it comes to Container orchestration. Since Kubernetes 1.7 RBAC (Role Based Access Control) is the default for the authorisation of actions in you cluster. There are many other components, like Pod Security Policies, Network Policies, Admisstion Controllers, that allows you to secure your Kubernetes cluster. In this talk I will show you how these things can work together and which problem these components try to solve. Also I will show you an overview how other tools like Vault can fit into the Kubernetes ecosystem to make you platform more secure. Event: DevFest Karlsruhe, 09.12.2017 Speaker: Johannes M. Scheuermann Weitere Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/ Weitere Tech-Artikel: https://www.inovex.de/blog/

Metal³ – Metal Kubed, Bare Metal Provisioning for Kubernetes | Kim Bảo Long

Vietnam Open Infrastructure User Group

HLayer / Kubernetes for CI/CD

Aymen EL Amri

Cncf explore k8s_api_go

Erhwen Kuo

透過K8S的API來設計工具或應用程式 (Go版本) Kubernetes是一個強大的平台，您可以創建各種工具來跟Kubernetes結合。更幸運的是，在針對Kubernetes API進行程式開發時， Kubernetes提供了很多不同語言的client框架來使用。本範示使用Kubernetes的Go client, 展示了Kubernetes作為平台的可擴展性。雖然此處介紹的概念可以應用於任何可以訪問Kubernetes API的語言，但這個程式碼範例集中在Go語言上。 Youtube: https://youtu.be/L-iFa-RcyNI

Kubernetes on OpenStack @eBay

Sriram Subramanian

為了能夠讓使用者能夠順利的存取到 kubernetes 眾多運行的 Pods, kubernetes 花了很大把的精力在網路架構與使用這方面，之前已經詳細介紹過 Kubernetes Service 的用法以及原理。這篇要來跟大家介紹另外一個相輔相成且好用的概念，也就是所謂的 Ingress。透過 Ingress 我們能夠提供一些更方便的伺服器存取，不論是基於 URL 的存取導向，亦或是簡化整個 SSL 憑證部署的方式。本文主要從 Ingress 的基本概念出發，介紹其基本架構並且從最常用的 Ingress Nginx 作為Ingress controller來介紹實際上Ingress是如何運作的。 Youtube: https://youtu.be/AagmJwWwvps

Metaswitch Project Calico

Andrew Kennedy

Node.js and Containers Go Together Like Peanut Butter and Jelly

Ross Kukulinski

Slides from Ross Kukulinski's (@rosskukulinski) presentation at Node Interactive Europe in September 2016. In this presentation, Ross Kukulinski, a Nodejs Evangelist and container enthusiast, will discuss why Node.js has become a popular choice in microservices-oriented, containerized dynamic environments. He will discuss how to get started with Node.js, Docker and Kubernetes and what pitfalls often occur when starting and how to avoid them.

Kubernetes Meetup: CNI, Flex Volume, and Scheduler

Katie Crimi

Want to deploy containers on your data center network with persistent storage? Kubernetes is a highly extensible container management system with support for many networking and storage technologies. Open-source contributor Chakri Nelluri will explain FlexVolume, an upstream Kubernetes API for pluggable storage providers, plus scheduler and Container Network Interface (CNI) plugins. Chakri will demonstrate pod deployment with standard Docker images on a Diamanti appliance. Bring your questions about Kubernetes, Docker, networking, and persistent storage and network with your peers Diamanti brings to market the first appliance purpose-built for containerized applications that combines the ease of hyperconverged infrastructure with the unparalleled performance and efficiency of bare-metal containers. Diamanti accelerates time-to-market, guarantees real-time service levels, and consolidates containers with 90% utilization. Dev done fast. Ops done right.™

Luigi Hostplumber intro slide.pptx (1).pdf

LibbySchulze

Kubernetes security and you

Karthik Gaekwad

Keystone at openstack multi sites

Vietnam Open Infrastructure User Group

Kubernetes scheduling and QoS

Cloud Technology Experts

Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!

smalltown

Sysdig monitor - a brief introduction

Daniel Kerwin

Monitoring mayhem - Using Prometheus

Brian Christner

Why kubernetes

Jorge Arteiro

Vault Agent and Vault 0.11 features

Mitchell Pronschinske

CGSpace technical overview

ILRI

Cncf k8s_network_02

Erhwen Kuo

Kubernetes Pod 是有生命週期的，它們可以被創建，也可以被銷毀，然而一旦被銷毀生命就永遠結束。通過 ReplicaSets 能夠動態地創建和銷毀 Pod（例如，需要進行擴縮容，或者執行滾動升級）。每個 Pod 都會獲取它自己的 IP 地址，即使這些 IP 地址不總是穩定可依賴的。這會導致一個問題：在 Kubernetes 集群中，如果一組 Pod（稱為 backend）為其它 Pod （稱為 frontend）提供服務，那麼那些 frontend 該如何發現，並連接到這組 Pod 中的哪些 backend 呢？ Kubernetes Service 定義了這樣一種抽象：邏輯上的一組 Pod，一種可以訪問它們的策略。這一組 Pod 能夠被 Service 訪問到，通常是通過 Label Selector實現的。

Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...

Sanjeev Rampal

Introduction to the architecture of Cisco Container Platform. This is a new offering from Cisco and is an enterprise grade Multi-Cloud Kubernetes based Container platform.. The presentation covers overall architecture, internal details on networking storage, operations and automation as well as multi-cloud features including the use of this platform alongwith hosted Kubernetes offerings from AWS (EKS) and Google (GKE)

ELK Ruminating on Logs (Zendcon 2016)

Mathew Beane

We're talking about serious log crunching and intelligence gathering with Elastic, Logstash, and Kibana. ELK is an end-to-end stack for gathering structured and unstructured data from servers. It delivers insights in real time using the Kibana dashboard giving unprecedented horizontal visibility. The visualization and search tools will make your day-to-day hunting a breeze. During this brief walkthrough of the setup, configuration, and use of the toolset, we will show you how to find the trees from the forest in today's modern cloud environments and beyond.

What's hot

end-to-end-encryption-enroute-linkerd (1).pdf

LibbySchulze

Kubermatic CNCF Webinar - start.kubermatic.pdf

LibbySchulze

Persistent Data Storage for Docker Containers by Andre Moruga

Docker, Inc.

Docker Advanced registry usage

Docker, Inc.

CNCF explore k8s_api

Erhwen Kuo

Cncf k8s_network_03 (Ingress introduction)

Erhwen Kuo

Metaswitch Project Calico

Andrew Kennedy

Node.js and Containers Go Together Like Peanut Butter and Jelly

Ross Kukulinski

Kubernetes Meetup: CNI, Flex Volume, and Scheduler

Katie Crimi

Luigi Hostplumber intro slide.pptx (1).pdf

LibbySchulze

Kubernetes security and you

Karthik Gaekwad

Keystone at openstack multi sites

Vietnam Open Infrastructure User Group

Kubernetes scheduling and QoS

Cloud Technology Experts

Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!

smalltown

Sysdig monitor - a brief introduction

Daniel Kerwin

Monitoring mayhem - Using Prometheus

Brian Christner

Why kubernetes

Jorge Arteiro

Vault Agent and Vault 0.11 features

Mitchell Pronschinske

CGSpace technical overview

ILRI

Cncf k8s_network_02

Erhwen Kuo

What's hot (20)

end-to-end-encryption-enroute-linkerd (1).pdf

Kubermatic CNCF Webinar - start.kubermatic.pdf

Persistent Data Storage for Docker Containers by Andre Moruga

Docker Advanced registry usage

CNCF explore k8s_api

Cncf k8s_network_03 (Ingress introduction)

Metaswitch Project Calico

Node.js and Containers Go Together Like Peanut Butter and Jelly

Kubernetes Meetup: CNI, Flex Volume, and Scheduler

Luigi Hostplumber intro slide.pptx (1).pdf

Kubernetes security and you

Keystone at openstack multi sites

Kubernetes scheduling and QoS

Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!

Sysdig monitor - a brief introduction

Monitoring mayhem - Using Prometheus

Why kubernetes

Vault Agent and Vault 0.11 features

CGSpace technical overview

Cncf k8s_network_02

Similar to Altitude San Francisco 2018: Bringing TLS to GitHub Pages

Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...

Sanjeev Rampal

ELK Ruminating on Logs (Zendcon 2016)

Mathew Beane

An Introduction to Kube-Lego

Matthew Barker

DevNexus 2015: Kubernetes & Container Engine

Kit Merker

KubeCon 2022 EU Flux Security.pdf

Weaveworks

In this session Stefan will go deep into the security aspects of Flux v2. We’ll start by explaining the Flux authorization model and how it relates to Kubernetes RBAC and account impersonation. Then we’ll compare the soft and hard multitenancy models from a GitOps perspective. We’ll explore the configuration options on how platform admins can lockdown Flux on multitenant environments and how they can onboard tenants onto clusters using the Flux CLI and Git. Finally we’ll talk about the Flux roadmap for 2022.

Fun with Kubernetes and Payara Micro 5

Payara

Drone CI - Container native continuous Integration / Delivery

Patrick Jahns

Clocker - The Docker Cloud Maker

Andrew Kennedy

Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...

Codemotion

CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T

ShapeBlue

The AT&T team recently embarked on a journey with CloudStack and has since deployed a solution which encompasses multiple data-centers. This talk focuses on how they are using open source tools like CloudStack, FreeIPA, and Metal as a Service (MaaS) to support KVM-based VM provisioning at an enterprise scale within a GitOps model. ----------------------------------------- The CloudStack Collaboration Conference 2023 took place on 23-24th November. The conference, arranged by a group of volunteers from the Apache CloudStack Community, took place in the voco hotel, in Porte de Clichy, Paris. It hosted over 350 attendees, with 47 speakers holding technical talks, user stories, new features and integrations presentations and more.

2019-06 - Goto Amsterdam - Microservices

Eamonn Boyle

Tectonic Summit 2016: Multi-Cluster Kubernetes: Planning for Unknowns

CoreOS

Clocker: Managing Container Networking and Placement

Docker, Inc.

This talk introduces Clocker and shows how to bootstrap a Docker Cloud that is responsive and scalable, across a dynamic cluster of hosts and cloud providers. Clocker is an Apache licensed open source project that demonstrates intelligent placement, on-demand provisioning and autonomic management of containers using Apache Brooklyn as the central nervous system. The Clocker stack enhances the standard Docker installation using best practices for configuration and integrates Weave networking capabilities plus Apache jclouds for provisioning on any infrastructure. We will show how to use Clocker to deploy, monitor and scale complex applications defined using Brooklyn blueprints across a network of Docker containers in the cloud.

Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup

Laure Vergeron

Sebastien goasguen cloud stack the next year

ShapeBlue

Kubernetes – An open platform for container orchestration

inovex GmbH

Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins

Kublr

How to establish Kubernetes as your infrastructure for a truly cloud native environment for optimal productivity and cost. Using Kublr for infrastructure as code approach for fast, reliable and inexpensive production-ready DevOps environment setup bringing together a combination of technologies - Kubernetes; AWS Mixed Instance Policies, Spot Instances and availability zones; AWS EFS; Nexus and Jenkins. Best practices based on open source tools such as Nexus and Jenkins. How to tackle build process dilemmas and difficulties including managing dependencies, hermetic builds and build scripts.

DevOpsDays Houston 2019 - Terry Shea - Centralizing Kubernetes Operations

DevOpsDays Houston

Best Practices with Azure Kubernetes Services

QAware GmbH

Cloud Native Night November 2018, Munich: Talk by Jose Moreno (Microsoft). Join our Meetup: www.meetup.com/cloud-native-muc Abstract: Three commands to deploy a Kubernetes Cluster to Azure! Well, but is the cluster secure? How to perform capacity management? What happens in case of a data center disaster? In this session we'll explore capabilities of the Azure Kubernetes Service and acs-engine to address these requirements.

Re:invent 2016 Container Scheduling, Execution and AWS Integration

aspyker

Members from over all over the world streamed over forty-two billion hours of Netflix content last year. Various Netflix batch jobs and an increasing number of service applications use containers for their processing. In this session, Netflix presents a deep dive on the motivations and the technology powering container deployment on top of Amazon Web Services. The session covers our approach to resource management and scheduling with the open source Fenzo library, along with details of how we integrate Docker and Netflix container scheduling running on AWS. We cover the approach we have taken to deliver AWS platform features to containers such as IAM roles, VPCs, security groups, metadata proxies, and user data. We want to take advantage of native AWS container resource management using Amazon ECS to reduce operational responsibilities. We are delivering these integrations in collaboration with the Amazon ECS engineering team. The session also shares some of the results so far, and lessons learned throughout our implementation and operations.

Similar to Altitude San Francisco 2018: Bringing TLS to GitHub Pages (20)

Architecture of Cisco Container Platform: A new Enterprise Multi-Cloud Kubern...

ELK Ruminating on Logs (Zendcon 2016)

An Introduction to Kube-Lego

DevNexus 2015: Kubernetes & Container Engine

KubeCon 2022 EU Flux Security.pdf

Fun with Kubernetes and Payara Micro 5

Drone CI - Container native continuous Integration / Delivery

Clocker - The Docker Cloud Maker

Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...

CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T

2019-06 - Goto Amsterdam - Microservices

Tectonic Summit 2016: Multi-Cluster Kubernetes: Planning for Unknowns

Clocker: Managing Container Networking and Placement

Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup

Sebastien goasguen cloud stack the next year

Kubernetes – An open platform for container orchestration

Portable CI/CD Environment as Code with Kubernetes, Kublr and Jenkins

DevOpsDays Houston 2019 - Terry Shea - Centralizing Kubernetes Operations

Best Practices with Azure Kubernetes Services

Re:invent 2016 Container Scheduling, Execution and AWS Integration

More from Fastly

Revisiting HTTP/2

Altitude San Francisco 2018: Bringing TLS to GitHub Pages

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Altitude San Francisco 2018: Bringing TLS to GitHub Pages

Similar to Altitude San Francisco 2018: Bringing TLS to GitHub Pages (20)

More from Fastly

More from Fastly (20)

Recently uploaded

Recently uploaded (20)

Altitude San Francisco 2018: Bringing TLS to GitHub Pages