# voxpupuli
- v
VoxBot
04/11/2023, 5:08 PMit would be interesting if you could use JQ style queries on JSON - v
VoxBot
04/11/2023, 5:10 PMjq or jmespath would be cool, yeah - v
VoxBot
04/11/2023, 6:02 PMi all i wonder if i can get some input on https://github.com/voxpupuli/puppet-dnsquery/pull/131 - v
VoxBot
04/11/2023, 6:03 PMoh, a new release of semantic_puppet, I've been waiting for that for a while :) - v
VoxBot
04/11/2023, 6:15 PMnice - v
VoxBot
04/11/2023, 6:15 PMjbond: done - v
VoxBot
04/11/2023, 6:15 PMewoud: you probably dont want to keep maintaining the rsync module within vox pupuli? - v
VoxBot
04/11/2023, 6:15 PMbastelfreak: awesome thanks - v
VoxBot
04/12/2023, 9:23 AMbastelfreak: not sure, we use it in our Foreman infra so perhaps - v
VoxBot
04/12/2023, 11:19 AMand now I'm hit by the ensure_packages() present → installed change - v
VoxBot
04/12/2023, 11:19 AMI'll say I completely underestimated how painful that was - v
VoxBot
04/12/2023, 11:23 AMI'm now wondering if defined_with_params() should be enhanced to understand aliases - v
VoxBot
04/12/2023, 11:26 AMewoud: would that help? https://github.com/puppetlabs/puppetlabs-stdlib/pull/1300 - v
VoxBot
04/12/2023, 11:27 AMthat special cases it, but I was suggesting to solve it at a deeper level - r
Robert Waffen
04/12/2023, 11:28 AM@Ananace what is the _aggregator_ca._ so in puppet-k8s wie have the k8s-ca, the ectd-ca and a third one? - v
VoxBot
04/12/2023, 11:28 AMThe aggregator CA is used for API service proxies, things like the metrics server API - r
Robert Waffen
04/12/2023, 11:30 AMthis "front-proxy" which is also in the code? i dont know this part. in the other k8s examples this cert stuff is a bit simpler 😅 - v
VoxBot
04/12/2023, 11:31 AMThe front-proxy is what's used for requestheader auth, which is for internal user impersonation inside the cluster - so that an internal service can act as separate users - v
VoxBot
04/12/2023, 11:31 AMYou can theoretically skip the aggregator CA, but your cluster will lose functionality, and be much harder to scale to multi-master - r
Robert Waffen
04/12/2023, 11:33 AMis there a concept overview or and wiki/blog/article about how this whole setup with how the certs are done? because each answer from you raises more questions. and i dont think i have understood it at all 😞 - v
VoxBot
04/12/2023, 11:35 AMhttps://kubernetes.io/docs/reference/access-authn-authz/authentication is probably the best source of information - v
VoxBot
04/12/2023, 11:36 AMBasically; The main CA is for certificates that authorize for a single user with their groups, the aggregator CA is for certificates that authorize for any user/group - v
VoxBot
04/12/2023, 11:37 AMSo that you can defer authentication/authorization, or support impersonation - r
Robert Waffen
04/12/2023, 11:38 AMokay think have to read the link first. from what i know from kubernetes the hard way, this setup here is much more complex. i triead to match it somehow, but it did not compute for me confusedparrot - v
VoxBot
04/12/2023, 11:40 AMYou can skip the aggregator CA in some simpler setups, it's not a strictly required component in order to start a cluster up. It's not even strictly a required component for scaling a cluster, it just helps. - v
VoxBot
04/12/2023, 11:41 AMSame as with using serving certs and bootstrap tokens, not strictly required, but it makes scaling a lot easier. - r
Robert Waffen
04/12/2023, 11:43 AMokay, so then i got confused from you code snipped yesterday on how to deploy the keys/certs - r
Robert Waffen
04/12/2023, 11:44 AMwill check in my local setup which certs are minimum needed - v
VoxBot
04/12/2023, 11:46 AMWith the k8s module, it will always create the full complement of CAs and certs, since it results in a more robust result