Running Private Certificate Authorities in Clusters
December 1, 2019
When operating web-based systems, one of the foremost concerns is how to protect users’ web traffic. Often, now, the first suggestion is to use Let’s Encrypt’s certificates, which can be obtained free of cost at a public certificate authority, automated utilizing the (soon to be standardized?) (ACME RFC 8555) protocol. However, some may desire to free themselves from external dependencies they do not control and which they do not control Recently, it actually occurred to some that cloud operations come with their own set of unique and exciting problems, cf. Kleppmann et al. and Adrian Colyer’s entertaining commentary for further inspiration. or operate in environments where the
ACME HTTP-01method is not feasible and where putting entire DNS zones with
ACME DNS-01under the control of third-party software is undesirable.
Then, Hashicorp’s Vault lends itself naturally to implement an in-house certificate authority and while certificates may be obtained and rotated by some lines of
curl, leveraging Jetstack’s
cert-managerutility in a system run by the Kubernetes container orchestrator leads to tangible results surprisingly fast.
NOTICLME 08jun19 1520Z
June 8, 2019
Notices to Cloudmen
June 8, 2019
Recently, it has been brought to our attention that a disconcerting number of vintage-trained computerists partake in aviation on highly powered modern cloud computing systems without properly upgrading training & licences. Lately, even uneducated members of the general public, completely devoid of any training, have been reported to participate in such activities,
To mitigate the most immediate dangers on such cloud flights, KOE TWR will publish current issues with Cloud Software as Notices to Cloudmen (NOTICLME) until a technical resolution with GA quality has been reached.
Members of the aviation guilds may submit notices for consideration over the usual channels.
DevOps Essentials '19
June 8, 2019
Vielen Dank an die Organisatoren und Teilnehmer der DevOps Essentials ‘19 in Darmstadt. Es war ein tolles Event und ich habe es wirklich genossen, mit Euch die Zeit dort zu verbringen. Die slides sind wie zugesagt hier und hier verfügbar.
Die Code-Beispiele, so sie denn nicht im Skript besprochen wurden, sind weiterhin auf github.com/cruwe/devopsessentials19 verfügbar. Ich bedanke mich für den ersten PR zur Korrektur meiner dicken Finger und würde mich auch über weitere freuen, falls ich an anderen Stellen auch Unfug geschrieben haben sollte.
Man sieht sich!
Hashicorp's Vault and Provisioning
November 18, 2018
More often than not, automation modules from third parties greatly enhance operator productivity, but at the same time prevent gaining a proper understanding of a matter. For a deep dive, I regularly propose to switch to a shell (even the
tcsh) and just mill through it.