iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/prod-env/06-cert-reloader.md
Murat ÖZDEMİR 67f4c10c93 docs(roadmap): update various roadmap docs to align with latest infrastructure setup 
- Synchronized swarm initialization, pipeline update, and certificate reloader instructions with the new monolithic stack logic and Ansible roles.
2026-06-15 16:48:04 +03:00

55 lines
2.0 KiB
Markdown
Raw Blame History

# 06 — Certificate Renewal and Vault Reload Flow (Prod)
## Context
The production certificate flow is implemented in the current infra stack and setup runbooks. See `../../setup/09-prod-runner-ha-and-swarm.md`.
## Current Flow
```text
SWAG renews the certificate inside its persistent config volume
cert-reloader detects the MD5 change
-> copies STAR.iklim.co.full.crt and STAR.iklim.co_key.pem to /mnt/storagebox/ssl
cert-distributor syncs those files to /opt/iklimco/ssl on service nodes
-> forces iklimco_vault to restart
Vault reads /opt/iklimco/ssl through /vault/certs
Vault entrypoint retry-unseal loop reads vault_unseal_key and unseals each replica
```
No SSH certificate distribution is required in prod.
## Vault Unseal Model
Vault auto-unseal is not implemented as the old Docker healthcheck snippet in the prod roadmap anymore. The current `docker-stack-vault.yml` and Vault entrypoint logic handle retry-unseal with the `vault_unseal_key` Docker secret.
The `vault_unseal_key` secret is created/rotated by `init/vault/vault-bootstrap.sh` during bootstrap.
## Verification
```bash
docker service ps iklimco_cert-reloader
docker service ps iklimco_cert-distributor
docker service logs iklimco_cert-reloader --tail 20
docker service ps iklimco_vault
```
Expected:
- `cert-reloader` is running.
- `cert-distributor` is running.
- Vault service restarts cleanly after certificate renewal.
- Vault remains unsealed.
Confirm Vault sees the current certificate:
```bash
docker exec $(docker ps -q -f name=iklimco_vault | head -1) \
sh -c 'echo | openssl s_client -connect vault.iklim.co:8200 2>/dev/null | openssl x509 -noout -dates'
```
`notAfter` should match the certificate distributed through `/opt/iklimco/ssl`.
## Historical / Superseded by Setup
The earlier plan that said “service definition is identical to test” and relied on a Vault healthcheck command is superseded. Prod now has a separate Vault stack, cert-distributor, and retry-unseal behavior.
Reference in New Issue View Git Blame Copy Permalink