Instructions on how to connect to CA from local laptop

[xinbinhuang]

Hi, I've deployed the CA to a k8s cluster without LoadBalancer/Ingress

Is there a way to connect to the CA via kube port-forward locally? I repeatedly higgintg unexpected EOF or tcp: x509: certificate is valid for <release-name>.<namespace>.svc.cluster.local, not localhost

[maraino]

Hi @xinbinhuang, you can do a couple of things to fix that error. You can add localhost or 127.0.0.1 to inject.config.files["ca.json"].dnsNames so the CA certificate includes localhost as a valid name, or alternatively you can add an entry to /etc/hosts file like

127.0.0.1 <release-name>.<namespace>.svc.cluster.local

I recommend you the first option.

[xinbinhuang]

Thank you! It seems that I made a mistake to think that "localhost" and "127.0.0.1" are equal from step-ca 's perspective while it's not. So I added both to dnsNames, and now I can resolve to either.

Here is more details on reproducing the original issue in case someone stumbles on this in the future

# port forward pod
kubectl port-forward pod/<step-certiticates-pod-name> 9000:9000

# bootstrap local configs and certs
step ca bootstrap ...

# this works
step ca provisioner list --ca-url 127.0.0.1:9000
> [ ... ]

# this doesn't work
step ca provisioner list --ca-url localhost:9000
> error getting the provisioners: client GET https://localhost:9000/provisioners?limit=100 failed: Get "https://localhost:9000/provisioners?limit=100": x509: certificate is valid for <...>.svc.cluster.local, not localhost

[maraino]

X509 certificates distinguish IPs and DNS names; you can add any of them, and depending on what they are, we add it as a DNS or an IP subject alternative name.