Mission: Trusted TLS everywhere!

[JJGadgets]

To be clear, the threat to protect against here is network sniffing on cluster network, which is highly unlikely compared to other attack vectors but this is HomeLab, who cares if it's overkill lol

• Rook Ceph in-cluster RGW (S3 object storage), fix HTTPS
• Fix external-proxy-x HAProxy ssl-verify (point to system trusted CA store, still having issues after that)
• Database connections (e.g. Postgres) (Can Let's Encrypt and custom service hostnames be used?)
• Ingress HTTP to service (easier to perform thanks to custom SNI in request)
• Pod-to-pod (ambitious for non-critical workloads, must-have for infra-related or critical workloads like monitoring endpoints, Prom to app etc)
• Find where to maintain CA in (HashiCorp Vault? OPNsense? YubiKey storage for root CA? Generate on YubiKey for true HSM "zero-trust", or generate on local and transfer to YubiKey for HA/redundancy?)
• Cilium L7 inspection
• Kubernetes components (apiServer etc)
• mTLS Client Auth for Device Authorization (e.g. for services that require authentication but not identification)