mister2d
commented
2 years ago I'm not sure how you're monitoring your infrastructure, but assuming telegraf is used you could leverage the X509 Cert Input Plugin.
The workflow could be something like... request a new signed certificate from your Vault instance, backup the existing pki, overwrite the pki files, reload the Vault instance, then move onto the next once its healthy.
I've taken a lot of good stuff from this module, but I don't understand how we can renew the certificates that Vault uses to communicate. My approach is very similar to the one used here: Create and provision a machine image using Packer and upload the pre-generated certificates.
Unfortunately, these certificates are bound to expire at some point, and setting that date to the year 9999 is probably bad practice. It's impossible to request these after joining the cluster since Vault uses HTTPS to communicate and refuses to do so without an agreed-upon certificate. How can we set up our clusters so that we don't have to recreate them entirely and make it possible for new instances to join an existing cluster?
Note: I'm not using AWS, but I've managed to translate this module over to my own provider quite well