iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/test-env/06-cert-reloader.md
Murat ÖZDEMİR 67f4c10c93 docs(roadmap): update various roadmap docs to align with latest infrastructure setup 
- Synchronized swarm initialization, pipeline update, and certificate reloader instructions with the new monolithic stack logic and Ansible roles.
2026-06-15 16:48:04 +03:00

3.1 KiB
Raw Blame History

06 — cert-reloader Sidecar Service (Test)

Context

  • Purpose: Watches SWAG's certificate volume for changes; copies renewed certs to /opt/iklimco/ssl/ on the host; forces Vault to reload its TLS cert.
  • Replaces: ops/vault-reload-after-swag-renewal.sh (which was designed for manual use). The sidecar automates this after every SWAG renewal.
  • Runs on: manager node (same node as SWAG and Vault, ensuring volume + socket access).

How it works

SWAG renews cert
  → writes new fullchain.pem to swag-vl:/config/etc/letsencrypt/live/iklim.co/
cert-reloader wakes every 3600s
  → detects MD5 change on fullchain.pem
  → copies fullchain.pem + privkey.pem to /opt/iklimco/ssl/ (host bind mount)
  → docker service update --force iklimco_vault
Vault restarts
  → reads new cert from /opt/iklimco/ssl/ (already mounted as /vault/certs)

Step 1 — Service definition (already in 03-infra-stack-changes.md)

The cert-reloader service is added to docker-stack-infra.yml as documented in step 03. No separate action needed here beyond that file change.

Step 2 — Ensure /opt/iklimco/ssl/ exists on the host

The Prepare Init Files step in the pipeline already creates this directory and copies the initial cert. The cert-reloader handles subsequent renewals.

On first deploy, the bootstrap cert (copied during pipeline init) is used until SWAG obtains its first Let's Encrypt cert (see 07-deploy-pipeline-update.md).

Step 3 — Verify cert-reloader is running

docker service ps iklimco_cert-reloader
docker service logs iklimco_cert-reloader --tail 20

Expected log on startup:

[cert-reloader] started

Step 4 — Trigger a manual test (optional, for verification)

Force a cert copy and Vault reload without waiting for renewal:

SWAG_VOL=$(docker volume inspect iklimco_swag-vl --format '{{.Mountpoint}}')
CERT="$SWAG_VOL/etc/letsencrypt/live/iklim.co/fullchain.pem"

if [ -f "$CERT" ]; then
  cp "$CERT" /opt/iklimco/ssl/STAR.iklim.co.full.crt
  KEYF="$SWAG_VOL/etc/letsencrypt/live/iklim.co/privkey.pem"
  cp "$KEYF" /opt/iklimco/ssl/STAR.iklim.co_key.pem
  docker service update --force iklimco_vault
  echo "✅ Manual reload triggered"
else
  echo "⚠️  Cert not yet obtained by SWAG"
fi

Notes

  • Docker socket (/var/run/docker.sock) is mounted into cert-reloader — this is intentional and necessary. The service is pinned to manager and is minimal (docker:27-cli image).
  • cert-reloader checks every 3600s (1 hour). Let's Encrypt certs renew every ~60 days; the 1-hour check window is more than sufficient.
  • If Vault restarts (due to cert reload), it may need to be unsealed automatically. Vault's healthcheck in docker-stack-infra.yml already handles auto-unseal via the vault_unseal_key Docker secret. Verify this works after a cert reload.

Future — Multi-node Vault (prod)

Production no longer requires SSH-copy based certificate distribution. The current prod model uses StorageBox plus cert-distributor to sync certificates to /opt/iklimco/ssl on service nodes. See ../prod-env/06-cert-reloader.md.