How do you manage the distribution of internal TLS network certificates? I’m using cert-manager to generate them, but the root self-signed certificate expires monthly which makes distribution to devices outside of K8s a challenge. It’s a PITA to keep doing this for the tablet, laptop and phones. I can bump the root cert to a year, but I’m concerned that the date will sneak up on me. Are there any automated solutions?

  • r0ertel@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    30 days ago

    Yes, monthly is too fast. I’m using a K8s operator for cert-manager which defaults to a month. I think I can patch the CSV with an annotation that will bump that out, but when the operator updates the CSV then I need to repatch it.

    I was polling the community to see if there’s something that is easy to use but I was not able to find in my searches. It seems like a common problem.

    Part of my problem is that I chose to use a K8s operator for cert-manager which isn’t easy to configure. Had I used a helm chart, i’d have bumped the root cert to 10 years and forgotten about it.

    • johntash@eviltoast.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      30 days ago

      If the operator doesn’t allow it for some reason, uninstall it and try with the helm chart instead?

      Or is there a reason to use the operator?