Environment_Infrastructure/roadmap/prod-env/06-cert-reloader.md

06 — Certificate Renewal and Vault Reload Flow (Prod)

Context

The production certificate flow is implemented in the current infra stack and setup runbooks. See ../../setup/09-prod-runner-ha-and-swarm.md.

Current Flow

SWAG renews the certificate inside its persistent config volume
cert-reloader detects the MD5 change
  -> copies STAR.iklim.co.full.crt and STAR.iklim.co_key.pem to /mnt/storagebox/ssl
cert-distributor syncs those files to /opt/iklimco/ssl on service nodes
  -> forces iklimco_vault to restart
Vault reads /opt/iklimco/ssl through /vault/certs
Vault entrypoint retry-unseal loop reads vault_unseal_key and unseals each replica

No SSH certificate distribution is required in prod.

Vault Unseal Model

Vault auto-unseal is not implemented as the old Docker healthcheck snippet in the prod roadmap anymore. The current docker-stack-vault.yml and Vault entrypoint logic handle retry-unseal with the vault_unseal_key Docker secret.

The vault_unseal_key secret is created/rotated by init/vault/vault-bootstrap.sh during bootstrap.

Verification

docker service ps iklimco_cert-reloader
docker service ps iklimco_cert-distributor
docker service logs iklimco_cert-reloader --tail 20
docker service ps iklimco_vault

Expected:

• cert-reloader is running.
• cert-distributor is running.
• Vault service restarts cleanly after certificate renewal.
• Vault remains unsealed.

Confirm Vault sees the current certificate:

docker exec $(docker ps -q -f name=iklimco_vault | head -1) \
  sh -c 'echo | openssl s_client -connect vault.iklim.co:8200 2>/dev/null | openssl x509 -noout -dates'

notAfter should match the certificate distributed through /opt/iklimco/ssl.

Historical / Superseded by Setup

The earlier plan that said “service definition is identical to test” and relied on a Vault healthcheck command is superseded. Prod now has a separate Vault stack, cert-distributor, and retry-unseal behavior.