Airbnb announced that it open-sourced Ottr, a serverless public key infrastructure framework developed in-house. Ottr handles end-to-end certificate rotations without the use of an agent. Ottr's primary design goal is to be a scalable and configurable serverless framework on AWS with little operational overhead or reliance on enrollment protocols.
Kenneth Yang, a security engineer at Airbnb, details some of the benefits that Ottr provides Airbnb:
We've seen returns on investment due to time saved and reduced operational overhead for engineering teams. Since the introduction of Ottr at the beginning of the year, thousands of certificate rotations have been performed without any human intervention. This has alleviated a pain point for multiple teams including Operations, which was responsible for monitoring and triaging tickets for expired certificates, Engineering which was responsible for the manual certificate rotation process, and Security which was involved in request approvals.
Public Key Infrastructure (PKI) governs the issuance of digital certificates to ensure secure end-to-end communication. Certificate Authorities (CA) are responsible for brokering these X.509 certificates and own the policies, practices, and procedures for vetting recipients and the issuing process. A standard method for issuing a certificate for an endpoint typically involves manual intervention for generating a Certificate Signing Request (CSR), sending the request to the CA, and later installing the received certificate. The following diagram depicts this process.
Airbnb developed Ottr to scale this process without requiring manual intervention while still emphasizing security. Ottr is serverless, so there is no underlying infrastructure to manage. It is customizable and extensible to allow integration with additional platforms, and Airbnb's engineers built it to be scalable, secure, portable and automated. The following diagram illustrates the certificate issuance process that Ottr supports.
Airbnb built Ottr in a serverless manner from the ground up. An AWS Step Function processes a batch of device data in parallel and executes an ECS Container for each host targeted for a certificate rotation. ECS Pulls down a platform-specific image from Elastic Container Registry (ECR) based on the ECS Task Definition metadata element retrieved from the Step Function. It, in turn, establishes a connection to the device to generate a Public/Private Key Pair and CSR on the device and pulls the CSR onto the container filesystem. It then sends the CSR to the CA (e.g., Let's Encrypt) to begin the certificate signing flow and authenticates the domain validity by manipulating appropriate DNS records. When the process completes, it uploads the certificate to the device. The following diagram presents Ottr's architecture and involved technologies.
Yang explains the motivation for open-sourcing Ottr:
Ottr was built to abstract a number of challenges associated with certificate provisioning while also providing additional benefits around operations and security. By open-sourcing Ottr, we hope to create a community to share, collaborate, and expand the framework to help fit the needs of other organizations.
Ottr is now available on GitHub under the Apache 2.0 license.