Five secrets must be created to spin up a new vault instance
gossip-key
which Consul uses to encrypt gossip communicationsvault-consul.ca
which contains a PEM-encoded CA cert to use to verify the Vault server SSL certificatevault-consul.tls
which contains a PEM-encoded client certificate for TLS authentication to the Vault server along with an unencrypted PEM-encoded private key matching the client certificatevault.ca
which contains a PEM-encoded CA cert to use to verify the Vault server SSL certificatevault.tls
which contains a PEM-encoded client certificate for TLS authentication to the Vault server along with an unencrypted PEM-encoded private key matching the client certificate
- Generate new CA and Consul certs
- TBD - Ryan Wilcox
- Ensure the following files are in the
certs/
directory and are up to date consul.ca
- Consul CA Certconsul.crt
- Consul TLS Certconsul.key
- Consul TLS Private Keyvault.ca
- Vault CA Certvault.crt
- Vault TLS Certvault.key
- Vault TLS Private Key- Run the following to replace all consul/vault K8S secrets
./apply.sh <vault_cluster_name> <namespace>
Add a true
parameter at the end if you also want to create/replace the Consul gossip key with a new auto-generated one. -WARNING- replacing the gossip key should not be done on a running cluster as it may cause inconsistent keys between Consul nodes. This should only be done when creating or completely destroying/re-creating a Vault cluster.
./apply.sh <vault_cluster_name> <namespace> true