# 06 — cert-reloader Sidecar Service (Prod)

## Context
Same service definition as test (see `test-env-setup/06-cert-reloader.md`).
Prod-specific consideration: Vault is single-instance on the manager node (same as SWAG),
so the cert copy to `/opt/iklimco/ssl/` works without cross-node distribution.

When Vault is expanded to a 3-node Raft cluster (see `07-vault-raft-plan.md`), the
cert-reloader must be updated to distribute the cert to the other Vault nodes.

## Current behavior (single-Vault prod)

```
SWAG (manager) renews cert → swag-vl
cert-reloader (manager) detects change → copies to /opt/iklimco/ssl/ → reloads Vault
Vault (manager) reads /opt/iklimco/ssl/ → serves new cert
```

No cross-node distribution needed.

## Future behavior (3-node Vault Raft — see step 07)

When Vault runs on iklim-app-01, iklim-app-02, iklim-app-03:

```
cert-reloader detects cert change
→ copies cert to /opt/iklimco/ssl/ on iklim-app-01 (local)
→ SSH copy to iklim-app-02:/opt/iklimco/ssl/
→ SSH copy to iklim-app-03:/opt/iklimco/ssl/
→ docker service update --force iklimco_vault  (restarts all 3 replicas)
```

This requires:
- An SSH key that cert-reloader can use to reach iklim-app-02 and iklim-app-03
- That key mounted as a Docker secret into cert-reloader
- Known_hosts for iklim-app-02 and iklim-app-03 pre-configured

Script update for this phase is tracked in `07-vault-raft-plan.md`.

## Verification

```bash
docker service ps iklimco_cert-reloader
docker service logs iklimco_cert-reloader --tail 20
```

Expected: `[cert-reloader] started`, no error lines.

Confirm Vault cert is current after SWAG renewal:
```bash
# Check cert expiry on Vault's TLS endpoint from inside the overlay
docker exec $(docker ps -q -f name=iklimco_vault) \
  sh -c 'echo | openssl s_client -connect vault.iklim.co:8200 2>/dev/null \
         | openssl x509 -noout -dates'
```

`notAfter` should match the cert in `/opt/iklimco/ssl/STAR.iklim.co.full.crt`.