I recently built an IoT platform on Google Kubernetes Engine (GKE) and faced a challenge I didn't anticipate. While scaling the messaging with RabbitMQ was straightforward, managing device identity turned out to be the real hurdle. Everything works fine with a few devices, but as the number of devices grows into the thousands, complications arise: certificate rotation becomes cumbersome, trust issues arise, and TLS configurations end up conflicting. A significant issue I encountered was that RabbitMQ handles TLS globally, so enabling mutual TLS (mTLS) for devices affects all services, including internal services and the admin UI. To tackle this, I used Vault as a PKI engine for short-lived certificates (24-hour validity) and moved TLS/mTLS termination to Nginx instead of RabbitMQ. Additionally, splitting GKE into node pools (infrastructure, messaging, and applications) made the system much more predictable. I wrote a detailed breakdown of my experience, and I'm curious about how others are managing device identity at scale. Are you using SPIFFE/SPIRE or sticking with Vault?
2 Answers
This is such an underrated perspective. Everyone talks about scaling on GKE, but the real struggle often lies in managing identity as the device count grows. What did you end up with in the end — workload identity, certificates, or something else entirely?
Managing identity gets tricky as your device count increases. Using short-lived certificates from Vault is a great approach if you’re already using it. SPIFFE/SPIRE sounds great conceptually, but it does add another layer to manage.
Yeah, I agree! Vault feels like the more streamlined choice, considering the operational overhead.
Exactly! Scaling infrastructure on GKE is definitely the easier part. We ended up using mTLS with short-lived client certificates from Vault which has a 24-hour TTL. It really simplified managing identity.