(CA) TLS Certificates in Kubernetes, how do you generate/maintain them


I am deploying Opensearch to Kubernetes and I am curious about how you do the (CA) TLS certificates that the Opensearch roles use for internal communication (Not the ingress one).

How do you do that? Do you generate them mentioned on Generating self-signed certificates - OpenSearch documentation and create (manually) Kubernetes secrets and store them? If so, how do you handle any (future) replica increases? You prepare them in advance, or have some kind of a documentation (process) that the engineer should not forget to do that?

Or is there a way to use the Vault CA/TLS backend for this as well? Vault might be providing a to short lived certificates to that.

Curious how you do this, I am looking for input.
Thank you very much!