I’m trying to understand the strategy required for rotating Consul’s TLS certificates when they expire.
My understanding is that there are two CAs in use by Consul - one for the Consul Client and another for the Consul Server. In order for a given Pod to talk to Consul Client over HTTPS, it needs to trust the Consul Client CA. That’s fine - we’re using
consul-k8s get-consul-client-ca in an initContainer to do that, and Pods talk to https://$HOST_IP:8501/ without any complaints.
But what happens in, say, 2 years’ time when the TLS certificate on the Consul Client expires? Presumably HTTPS requests to it will now fail since the cert is no longer valid.
I guess my question here is:
With auto-encryption enabled in the consul-helm chart, do the Consul Client and Consul Server pods automatically get new certificates?
Incidentally, I noticed a comment from @lkysow on the PR which enabled TLS for consul-helm, where he expressed concern over how certificates could be rotated:
^-- is there an answer/solution to this?
Thanks - Aaron