Hi all,
I’ve got a lab setup with Vault & Cron running nicely with TLS covering all end-points and am deciding on adding in consul-template to rotate these certs.
This Vault cluster has PKI enabled and has bootstrapped its own certs; I think it makes sense rotating the certs with a longer TTL, say 1-week.
It might even make sense rotating the Vault/Consul certs in an async-manner:
- Vault: every 24 hours
- Consul (Server cert): 18 hours
- Consul (Client cert): 12 hours
If the client cert rotation poses any delay, it will break RPC communication and the entire Vault backend dies. Thoughts?
Is it fine if the consul-template task just calls systemctl restart consul.service (and the same for Vault as well?) once it has templated the new certs?