I'm using cert-manager on Kubernetes to generate all certificates and it automatically renews all of them, including CA certificates, when needed. Its CSI driver then reissues leaf certificates and updates both leaf and CA certificates in containers. All client and server certificates are then refreshed from these files automatically. For CA certificates though I currently have to make sure to update the config and redeploy everything between new CA certificate is generated and the old one is expired, which is rather cumbersome and error-prone.
I think if this is implemented, we could add automatic certificate management to bb-deployments repository to cover all internal communication in Buildbarn with mTLS.
Currently we can only specify CA certificate verbatim for the server certificate validation. For both client and server certificate-key pairs https://github.com/buildbarn/bb-storage/pull/149 implemented loading them from files and reloading on specified intervals, but there is no such provision for CA certificates.
I'm using cert-manager on Kubernetes to generate all certificates and it automatically renews all of them, including CA certificates, when needed. Its CSI driver then reissues leaf certificates and updates both leaf and CA certificates in containers. All client and server certificates are then refreshed from these files automatically. For CA certificates though I currently have to make sure to update the config and redeploy everything between new CA certificate is generated and the old one is expired, which is rather cumbersome and error-prone.
I think if this is implemented, we could add automatic certificate management to bb-deployments repository to cover all internal communication in Buildbarn with mTLS.