I have a Kubernetes DaemonSet that does some stuff when clients send requests to them.
The clients send requests directly to the DaemonSet pods using the Node IP and Known Port
method as documented here.
All pods in the DaemonSet have the same server certificate and key attached to them by a ConfigMap.
My question is how do I get the clients to "trust" the certificate presented by the pods?
One of the clients rightfully complains that there is no CN or IP SANS in the certificates since they are created before the DaemonSet pods are instantiated.
Since these DaemonSet pods created dynamically when nodes are added into the cluster AND because all pods share the same spec, I am unable to dynamically / automatically issue a specific certificate for the pod.
Is there some way around this?