That's a surprising design that I would expect to reduce scalability and increase maintenance. What wasn't working before?
Discussion
No certificate provisioning infrastructure existed
Now, it provisions certs automatically with OpenBao. That runs on a cronjob.
Otherwise, this actually makes it easier to maintain, as there is no longer a need for an overlay network which had to be encrypted (and is more difficult to scale)
Is the overlay network a mesh like linkerd? Or are these run by different people? I find that baking SSL and networking code into the process can lead to difficult to resolve production issues
it’s a mesh network on Proxmox
I try to avoid "being helpful after it's too late", but you might be interested in:
https://github.com/juanfont/headscale
Or
This would work best for my use case: https://github.com/slackhq/nebula
But currently I also see other benefits in using TLS (FDB uses TLS certs to distinguish server-to-server communication, from clients)
I'm not familiar with nebula, but it seems reasonable