You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 25, 2023. It is now read-only.
I've taken a lot of good stuff from this module, but I don't understand how we can renew the certificates that Vault uses to communicate. My approach is very similar to the one used here: Create and provision a machine image using Packer and upload the pre-generated certificates.
Unfortunately, these certificates are bound to expire at some point, and setting that date to the year 9999 is probably bad practice. It's impossible to request these after joining the cluster since Vault uses HTTPS to communicate and refuses to do so without an agreed-upon certificate. How can we set up our clusters so that we don't have to recreate them entirely and make it possible for new instances to join an existing cluster?
Note: I'm not using AWS, but I've managed to translate this module over to my own provider quite well
The text was updated successfully, but these errors were encountered:
I'm not sure how you're monitoring your infrastructure, but assuming telegraf is used you could leverage the X509 Cert Input Plugin.
The workflow could be something like... request a new signed certificate from your Vault instance, backup the existing pki, overwrite the pki files, reload the Vault instance, then move onto the next once its healthy.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I've taken a lot of good stuff from this module, but I don't understand how we can renew the certificates that Vault uses to communicate. My approach is very similar to the one used here: Create and provision a machine image using Packer and upload the pre-generated certificates.
Unfortunately, these certificates are bound to expire at some point, and setting that date to the year 9999 is probably bad practice. It's impossible to request these after joining the cluster since Vault uses HTTPS to communicate and refuses to do so without an agreed-upon certificate. How can we set up our clusters so that we don't have to recreate them entirely and make it possible for new instances to join an existing cluster?
Note: I'm not using AWS, but I've managed to translate this module over to my own provider quite well
The text was updated successfully, but these errors were encountered: