What is the best way to handle expiring certificate authority?

So far, the best solution I’ve found:
  • manually store the ca-bundle in a vault, such as azure vault or hashicorp vault
  • configure external secrets addon to use the vault
  • configure ca-bundle as volume mount using secret provided by external secrets in each pod that needs it
Now when the ca expires you only have to update the ca-bundle in a single location in the vault, argocd will take care of restarting the pods when the secret updates.

If anyone has a better idea feel free to share.

Posted in Infrastructure, Kubernetes.

Leave a Reply