2021-01-29 22:13:28 +00:00
|
|
|
---
|
|
|
|
layout: docs
|
|
|
|
page_title: Certificate Rotation
|
|
|
|
sidebar_title: Certificate Rotation
|
|
|
|
description: Rotate Certificate on Kubernetes Cluster safely
|
|
|
|
---
|
|
|
|
|
|
|
|
# Rotating Server Certificates
|
|
|
|
|
|
|
|
As of Consul Helm version `0.29.0`, if TLS is enabled, new TLS certificates for the Consul Server
|
|
|
|
are issued every time the Helm chart is upgraded. These certificates are signed by the same CA and will
|
|
|
|
continue to work as expected in the existing cluster.
|
|
|
|
|
|
|
|
Consul servers read the certificates from Kubernetes secrets during start-up and keep them in memory. In order to ensure the
|
2021-02-04 17:44:04 +00:00
|
|
|
servers use the newer certificate, the server pods need to be [restarted explicitly](/docs/k8s/upgrade#upgrading-consul-servers) in
|
2021-01-29 22:13:28 +00:00
|
|
|
a situation where `helm upgrade` does not restart the server pods.
|
|
|
|
|
|
|
|
To explicitly perform server certificate rotation, follow these steps:
|
|
|
|
|
|
|
|
1. Perform a `helm upgrade`:
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
helm upgrade consul hashicorp/consul -f /path/to/my/values.yaml
|
|
|
|
```
|
|
|
|
|
|
|
|
This should run the `tls-init` job that will generate new Server certificates.
|
|
|
|
|
2021-02-04 17:13:32 +00:00
|
|
|
1. Restart the Server pods following the steps [here](/docs/k8s/upgrade#upgrading-consul-servers).
|