We have a fleet of micro services devices on Balena. I’m working on a project to upgrade the security between our devices an our back-end systems. We would like our devices to authenticate themselves against our back-end using mutual TLS.
At the back-end I intend to use cert-manager in Kubernetes to manage all the certificates for me. But I can’t quite envision how I can distribute the client certificates to each of our devices. Each device should get a ‘personal’ client certificate. And I would like to automate this process so that the certificates can be rotated every couple of months.
The only thing I can come up with is; To put the certificates in service variables for each device. I could make a (small?) service in the back-end that uses the Balena API to receive the certificates from Kubernetes and set these on the correct devices periodically.
But I’m wondering, is that like a good idea? I’m not thrilled by the idea that the certificates will show up in the dashboard is there a way around that? Has anyone else experience with something like this?
All input is greatly appreciated!