# 06 — Certificate Renewal and Vault Reload Flow (Prod)

## Context

The production certificate flow is implemented by the current infra stack, cert services, and Vault stack.

## Current Flow

```text
SWAG renews the certificate inside its persistent config volume
cert-reloader detects the MD5 change
  -> copies STAR.iklim.co.full.crt and STAR.iklim.co_key.pem to /mnt/storagebox/ssl
cert-distributor syncs those files to /opt/iklimco/ssl on service nodes
  -> forces iklimco_vault to restart
Vault reads /opt/iklimco/ssl through /vault/certs
Vault entrypoint retry-unseal loop reads vault_unseal_key and unseals each replica
```

No SSH certificate distribution is required in prod.

## Vault Unseal Model

Vault auto-unseal is not implemented as the old Docker healthcheck snippet in the prod roadmap anymore. The current `docker-stack-vault.yml` and Vault entrypoint logic handle retry-unseal with the `vault_unseal_key` Docker secret.

The `vault_unseal_key` secret is created/rotated by `init/vault/vault-bootstrap.sh` during bootstrap.

## Verification

```bash
docker service ps iklimco_cert-reloader
docker service ps iklimco_cert-distributor
docker service logs iklimco_cert-reloader --tail 20
docker service ps iklimco_vault
```

Expected:

- `cert-reloader` is running.
- `cert-distributor` is running.
- Vault service restarts cleanly after certificate renewal.
- Vault remains unsealed.

Confirm Vault sees the current certificate:

```bash
docker exec $(docker ps -q -f name=iklimco_vault | head -1) \
  sh -c 'echo | openssl s_client -connect vault.iklim.co:8200 2>/dev/null | openssl x509 -noout -dates'
```

`notAfter` should match the certificate distributed through `/opt/iklimco/ssl`.

## Historical / Superseded by Setup

The earlier plan that said “service definition is identical to test” and relied on a Vault healthcheck command is superseded. Prod now has a separate Vault stack, cert-distributor, and retry-unseal behavior.