Any gurus around?

I'm working in an environment with an internal self-issued CA (actually a root and two subordinate CAs), and trying to figure out the best (or least-bad) way to make those CAs available to pods running in various namespaces.

I eventually figured to use a DaemonSet to load the certs into /etc/ssl/certs/ on each node so that K8s will trust a private registry with a cert issued by the CAs.

But what about the other workload pods?

I don't really like the idea of creating a Secret *in every namespace* to hold the certs, though mounting those into pods would be trivial.

Mounting the /etc/ssl/certs hostPath (readOnly, scoped to that specific directory) into the pods seems like a more efficient approach... but hostPaths give me nightmares, even as a K8s novice.

Is there another reasonable option I'm missing?

Follow

I guess another option would be to maintain our own images with the cert chain built in and just deploy those out of the private registry.

Which was going to be my approach before I realized that it wouldn't work without somehow convincing the nodes to trust that registry and then eventually figured out how to make that happen but now I don't really want to maintain all those extra images just because.

Ugh computers are dumb. Certificates are the worst.

Of course we're also standing up an automated CI/CD system as a part of this effort so really recreating our customized images on a regular basis wouldn't be much of a hurdle. I'm kind of thinking this is going to be The Way we go.

Sign in to participate in the conversation

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.