We have an existing cluster and because we need to work with a new IP address space are building a new cluster that will be built from the ground up. We’re intending to use the built-in CA.
I understand that leaf certificates are automatically generated and rotated, and that I can rotate in a new CA. What about server certificates? If I understand the documentation the creation of the CA and the server certs is a manual process. When the year is up, do I have to manually generate new server certs and rotate them in? Or does that happen automatically?
Thanks
–Jamie
I too would like to see this explained better. Consul-Template generation for clients works great. Doing so for servers, in my early experiences, can lead to catastrophic failure of each cluster (Nomad, Vault, Consul) as they all integrate with each other and need to share certs.
Without any further info or examples to tell me otherwise, I have just resorted to manually issuing server certificates for 1 year and setting a Google Calendar reminder.
You’d think this would get documented somewhere, right? Weird.
I think the mechanism is the same (or can be done with the same tools), so it is technically documented. It’s just that the concerns around issuing for servers intersects with so many possible inter-dependencies that having consul-template do it without a proper strategy in place can make things go “blooey.”