How do you manage the distribution of internal TLS network certificates? I’m using cert-manager to generate them, but the root self-signed certificate expires monthly which makes distribution to devices outside of K8s a challenge. It’s a PITA to keep doing this for the tablet, laptop and phones. I can bump the root cert to a year, but I’m concerned that the date will sneak up on me. Are there any automated solutions?
You must log in or # to comment.
Use a secret manager?
Cert is a secret, add a small agent to your containers that pings your secret manager and gets back the current cert. Then saves / imports it (or whatever is appropriate).
Bump root cert to 10 years and use intermediate with shorter lifetime. root cert should be stored and processed off net.
