Rotating Server Certificates

As of Consul Helm version 0.29.0, if TLS is enabled, new TLS certificates for the Consul Server are issued every time the Helm chart is upgraded. These certificates are signed by the same CA and will continue to work as expected in the existing cluster.

Consul servers read the certificates from Kubernetes secrets during start-up and keep them in memory. In order to ensure the servers use the newer certificate, the server pods need to be restarted explicitly in a situation where helm upgrade does not restart the server pods.

To explicitly perform server certificate rotation, follow these steps:

  1. Perform a helm upgrade:

    1. $ helm upgrade consul hashicorp/consul --values /path/to/my/values.yaml
    1. $ helm upgrade consul hashicorp/consul --values /path/to/my/values.yaml

    This should run the tls-init job that will generate new Server certificates.

  2. Restart the Server pods following the steps here.