kubernetes

infra

kubernetes

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dustin	3ba83373f3	step-ca: Re-deploy (again) with DCH CA R2 Although most libraries support ED25519 signatures for X.509 certificates, Firefox does not. This means that any certificate signed by DCH CA R3 cannot be verified by the browser and thus will always present a certificate error. I want to migrate internal services that do not need certificates that are trusted by default (i.e. they are only accessed programatically or only I use them in the browser) back to using an internal CA instead of the public pyrocufflink.net wildcard certificate. For applications like Frigate and UniFi Network, these need to be signed by a CA that the browser will trust, so the ED25519 certificate is inappropriate. Thus, I've decided to migrate back to DCH CA R2, which uses an EdDSA signature, and can therefore be trusted by Firefox, etc.	2024-04-05 13:03:34 -05:00
Dustin	d08cc6fb0f	step-ca: Redeploy with DCH CA R3 I never ended up using _Step CA_ for anything, since I was initially focused on the SSH CA feature and I was unhappy with how it worked (which led me to write _SSHCA_). I didn't think about it much until I was working on deploying Grafana Loki. For that project, I wanted to use a certificate signed by a private CA instead of the wildcard certificate for _pyrocufflink.blue_. So, I created DCH CA R3 for that purpose. Then, for some reason, I used the exact same procedure to fetch the certificate from Kubernetes as I had set up for the _pyrocufflink.blue_ wildcard certificate, as used by Frigate. This of course defeated the purpose, since I could have just as easily used the wildcard certificate in that case. When I discovered that Grafana Loki expects to be deployed behind a reverse proxy in order to implement access control, I took the opportunity to reevaluate the certificate issuance process. Since a reverse proxy is required to implement the access control I want (anyone can push logs but only authenticated users can query them), it made sense to choose one with native support for requesting certificates via ACME. This would eliminate the need for `fetchcert` and the corresponding Kubernetes API token. Thus, I ended up deciding to redeploy _Step CA_ with the new _DCH CA R3_ for this purpose.	2024-02-22 07:10:01 -06:00

Author

SHA1

Message

Date

Dustin

3ba83373f3

step-ca: Re-deploy (again) with DCH CA R2

Although most libraries support ED25519 signatures for X.509
certificates, Firefox does not.  This means that any certificate signed
by DCH CA R3 cannot be verified by the browser and thus will always
present a certificate error.

I want to migrate internal services that do not need certificates
that are trusted by default (i.e. they are only accessed programatically
or only I use them in the browser) back to using an internal CA instead
of the public *pyrocufflink.net* wildcard certificate.  For applications
like Frigate and UniFi Network, these need to be signed by a CA that
the browser will trust, so the ED25519 certificate is inappropriate.
Thus, I've decided to migrate back to DCH CA R2, which uses an EdDSA
signature, and can therefore be trusted by Firefox, etc.

2024-04-05 13:03:34 -05:00

Dustin

d08cc6fb0f

step-ca: Redeploy with DCH CA R3

I never ended up using _Step CA_ for anything, since I was initially
focused on the SSH CA feature and I was unhappy with how it worked
(which led me to write _SSHCA_).  I didn't think about it much until I
was working on deploying Grafana Loki.  For that project, I wanted to
use a certificate signed by a private CA instead of the wildcard
certificate for _pyrocufflink.blue_.  So, I created *DCH CA R3* for that
purpose.  Then, for some reason, I used the exact same procedure to
fetch the certificate from Kubernetes as I had set up for the
_pyrocufflink.blue_ wildcard certificate, as used by Frigate.  This of
course defeated the purpose, since I could have just as easily used
the wildcard certificate in that case.

When I discovered that Grafana Loki expects to be deployed behind a
reverse proxy in order to implement access control, I took the
opportunity to reevaluate the certificate issuance process.  Since a
reverse proxy is required to implement the access control I want (anyone
can push logs but only authenticated users can query them), it made
sense to choose one with native support for requesting certificates via
ACME.  This would eliminate the need for `fetchcert` and the
corresponding Kubernetes API token.  Thus, I ended up deciding to
redeploy _Step CA_ with the new _DCH CA R3_ for this purpose.

2024-02-22 07:10:01 -06:00

2 Commits (e1d9833e837e1c37a399344f5d8ef2e6527210d4)