Environment_Infrastructure/roadmap/prod-env/06-cert-reloader.md

06 — Certificate Renewal and Vault Reload Flow (Prod)

Context

The production certificate flow is implemented by the current infra stack, cert services, and Vault stack.

Current Flow

SWAG renews the certificate inside its persistent config volume
cert-reloader detects the MD5 change
  -> copies STAR.iklim.co.full.crt and STAR.iklim.co_key.pem to /mnt/storagebox/ssl
cert-distributor syncs those files to /opt/iklimco/ssl on service nodes
  -> forces iklimco_vault to restart
Vault reads /opt/iklimco/ssl through /vault/certs
Vault entrypoint retry-unseal loop reads vault_unseal_key and unseals each replica

No SSH certificate distribution is required in prod.

Vault Unseal Model

Vault auto-unseal is not implemented as the old Docker healthcheck snippet in the prod roadmap anymore. The current docker-stack-vault.yml and Vault entrypoint logic handle retry-unseal with the vault_unseal_key Docker secret.

The vault_unseal_key secret is created/rotated by init/vault/vault-bootstrap.sh during bootstrap.

Verification

docker service ps iklimco_cert-reloader
docker service ps iklimco_cert-distributor
docker service logs iklimco_cert-reloader --tail 20
docker service ps iklimco_vault

Expected:

• cert-reloader is running.
• cert-distributor is running.
• Vault service restarts cleanly after certificate renewal.
• Vault remains unsealed.

Confirm Vault sees the current certificate:

docker exec $(docker ps -q -f name=iklimco_vault | head -1) \
  sh -c 'echo | openssl s_client -connect vault.iklim.co:8200 2>/dev/null | openssl x509 -noout -dates'

notAfter should match the certificate distributed through /opt/iklimco/ssl.

Historical / Superseded by Setup

The earlier plan that said “service definition is identical to test” and relied on a Vault healthcheck command is superseded. Prod now has a separate Vault stack, cert-distributor, and retry-unseal behavior.