Even though everything mandates TLS in k8s/k3s there is no good answer to updating/rotating/distributing them??

Mon Nov 30 13:14:59 +0000 2020

Replying to @bboreham

looks too high level, i.e more focused on application getting certs not the lower level infra bits.

Mon Nov 30 13:22:51 +0000 2020

Replying to @bradfitz

ugh :(

Mon Nov 30 13:27:18 +0000 2020

Replying to @GuerillaNerd

I need to restart k3s for that too work \(at the correct time\). Also does that magically update the kubelet’s cert \(or mine virtual kubelet thing?\)

Mon Nov 30 14:31:54 +0000 2020

Replying to @tsaha

Oh!

Mon Nov 30 14:34:34 +0000 2020

Replying to @piper_jason and @bradfitz

I rather outsource this all to tailscale and use plain HTTP. But I can’t cause it’s all deeply embedded in client-go

Mon Nov 30 14:50:33 +0000 2020

Replying to @bradfitz and @piper_jason

hmm.... I got a nagging feeling that only solves half of my woos

Mon Nov 30 15:03:55 +0000 2020

Replying to @Itsuugo

that’s seems to operate above the infrastructure tooling

Mon Nov 30 15:44:31 +0000 2020