The DigitalOcean team designed a platform built on top of Kubernetes to secure their internal services. They implemented Hashicorp's Vault as a certificate authority (CA) to automate all certificate management, including mutual TLS authentication between etcd and Kubernetes components. The CA structure consisted of two authorities: one for etcd-related certificates and another for Kubernetes components. The team created roles and policies in Vault to control access to the CAs and issued tokens with necessary permissions. Each machine was provided with a Vault token that could be renewed indefinitely, and services were configured to fetch and renew their own certificates using consul-template. The architecture allows for automated certificate issuance, renewal, and rotation, reducing the effort required to set up and maintain many Kubernetes clusters.