# SSHCA [SSHCA][0] is an online Certificate Authority for SSH. It can automatically issue signed SSH certificates for hosts' public keys. Machines authenticate to the service using a JWT signed with their machine UUID, and the service validates the signature by looking up the UUID in either a local JSON document or by querying the libvirt API on one or more VM hosts. Certificates will only be issued for hosts that can authenticate successfully. ## Installation ```sh kubectl apply -k sshca ``` ## Configuration SSHCA is configured by the `config.toml` file. It is stored as a Kubernetes ConfigMap and mounted into the server container. The configuration file is only read at startup, so the ConfigMap uses the name suffix hash feature of Kustomize; when the contents of the configuration file change, the name of the ConfigMap will change, which will cause Kubernetes to restart the pod. Old ConfigMap resources are not deleted, but must be cleaned up by some other means (manually or e.g. Argo CD). The configuration file specifies the path to the private keys for signing certificates. It also includes the list of libvirt hosts to check for machine UUIDs, as well as the path to a static file where additional machine UUIDs are provided. Besides the main configuration file, SSHCA needs an additional ConfigMap that contains an `ssh_known_hosts` file. This file contains the public keys of the libvirt VM hosts, so that the service can securely connect to the libvirt API over SSH. ## Secrets Several secrets are necessary for SSHCA to operate: 1. The private key used to issue SSH host certificates, and optionally a password to encrypt that key. 2. A JSON document containing a map of host names to machine UUIDs, in order to authenticate physical machines and other hosts that are not libvirt domains. 3. An SSH user private key for authenticating to the libvirt hosts for VM UUID lookups. 4. OCI registry credentials for pulling container images. These secrets are stored encrypted as SealedSecret resources. The Bitnami Sealed Secrets controller decrypts these and manages regular Secret resources for them automatically. [0]: https://git.pyrocufflink.net/dustin/sshca