mirror of https://github.com/status-im/consul.git
29 lines
1.1 KiB
Plaintext
29 lines
1.1 KiB
Plaintext
|
---
|
||
|
layout: docs
|
||
|
page_title: Certificate Rotation
|
||
|
sidebar_title: Certificate Rotation
|
||
|
description: Rotate Certificate on Kubernetes Cluster safely
|
||
|
---
|
||
|
|
||
|
# Rotating Server Certificates
|
||
|
|
||
|
As of Consul Helm version `0.29.0`, if TLS is enabled, new TLS certificates for the Consul Server
|
||
|
are issued every time the Helm chart is upgraded. These certificates are signed by the same CA and will
|
||
|
continue to work as expected in the existing cluster.
|
||
|
|
||
|
Consul servers read the certificates from Kubernetes secrets during start-up and keep them in memory. In order to ensure the
|
||
|
servers use the newer certificate, the server pods need to be [restarted explicitly](/docs/k8s/operations/upgrade#upgrading-consul-servers) in
|
||
|
a situation where `helm upgrade` does not restart the server pods.
|
||
|
|
||
|
To explicitly perform server certificate rotation, follow these steps:
|
||
|
|
||
|
1. Perform a `helm upgrade`:
|
||
|
|
||
|
```shell-session
|
||
|
helm upgrade consul hashicorp/consul -f /path/to/my/values.yaml
|
||
|
```
|
||
|
|
||
|
This should run the `tls-init` job that will generate new Server certificates.
|
||
|
|
||
|
1. Restart the Server pods following the steps [here](/docs/k8s/operations/upgrade#upgrading-consul-servers).
|