Can I use seperate CA certs and keys for every node or do I just generate one and then copy that manually to the other nodes?
Automatic installation of crdb via some script or config management tool would be difficult if there were just one CA cert and key for the whole cluster. Because I had to somehow teach the declarative config management tool (Chef, Puppet, Saltstack etc.) to first create a “main node”, which would then generate the CA cert and key. Those would then have to be copied to the other hosts, which is a dangerous process.
The declarative approach would be to not have a “leader” node (aka as SPOF), but make all nodes equal and self-contained. Thus every node would generate its own CA key and cert, but I somehow doubt that inter-cluster communication would work this way.
Basically, I want my nodes to be independent of each other (avoid SPOF, enable horizontal scaling), but I also don’t want to generate a CA key and cert externally and then distribute it to all nodes over the network. Sorry for rambling, this is just meant as context for the question in the first sentence