Run NATS clustered w/ TLS on k8s

[rolandjitsu]

I'm just wondering how others are handling certs when it comes to running NATS clustered on k8s w/ TLS enabled.

I'm currently in a bit of a pickle w/ self signed certs. I'm building an IoT platform where devices are all over the world and I'm using a NATS cluster as a control plane. And since I want the comms to be encrypted, I've enabled TLS (I also use it as auth).

If I were running everything in the same env (k8s), I could use something like cert-manager to issue certs for every node and client, but since the devices are not part of the k8s env, I need to use self signed certs (but maybe not?) that I can deploy to these devices.

The issue I'm having at the moment is w/ the CN or SAN. As per docs, I've issued a cert w/ both client and server auth with the CN/SAN assigned to the DNS of the cluster (the address at which the cluster can be reached at). But this only works for client <> node/cluster comms and not for node <> node as I'm getting:

2021-08-23 04:01:25.757 HKT[7] 2021/08/22 20:01:25.757120 [ERR] 192.168.65.70:6222 - rid:1876 - TLS route handshake error: x509: certificate is valid for my.cluster.com, not nats-2.nats.nats.svc.cluster.local.

So my question is, how does one go about fixing that? I'm thinking of adding another SAN for *.cluster.local, but is this the norm? What other options do I have?