Add docs for TLS Server Certificate rotation for K8S (#9636)

* Add docs for TLS Server Certificate rotation for K8s
4 years ago · 3da918089d
2 changed files with 29 additions and 1 deletions
--- a/website/content/docs/k8s/operations/certificate-rotation.mdx
+++ b/website/content/docs/k8s/operations/certificate-rotation.mdx
@ -0,0 +1,28 @@
+---
+layout: docs
+page_title: Certificate Rotation
+sidebar_title: Certificate Rotation
+description: Rotate Certificate on Kubernetes Cluster safely
+---
+
+# Rotating Server Certificates
+
+As of Consul Helm version `0.29.0`, if TLS is enabled, new TLS certificates for the Consul Server
+are issued every time the Helm chart is upgraded. These certificates are signed by the same CA and will
+continue to work as expected in the existing cluster.
+
+Consul servers read the certificates from Kubernetes secrets during start-up and keep them in memory. In order to ensure the
+servers use the newer certificate, the server pods need to be [restarted explicitly](/docs/k8s/operations/upgrade#upgrading-consul-servers) in
+a situation where `helm upgrade` does not restart the server pods.
+
+To explicitly perform server certificate rotation, follow these steps:
+
+1. Perform a `helm upgrade`:
+
+   ```shell-session
+   helm upgrade consul hashicorp/consul -f /path/to/my/values.yaml
+   ```
+
+   This should run the `tls-init` job that will generate new Server certificates.
+
+1. Restart the Server pods following the steps [here](/docs/k8s/operations/upgrade#upgrading-consul-servers).
--- a/website/data/docs-navigation.js
+++ b/website/data/docs-navigation.js
@ -193,7 +193,7 @@ export default [
      {
        category: 'operations',
        name: 'Operations',
-        content: ['uninstall', 'tls-on-existing-cluster'],
+        content: ['uninstall', 'certificate-rotation', 'tls-on-existing-cluster'],
      },
      {
        name: 'Troubleshoot',