Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5 from danielehc/dc/encryption
Browse files Browse the repository at this point in the history
Encryption DOCs change and revamp
boruszak authored Jan 2, 2025
2 parents 430aa56 + 4b1e780 commit 449b423
Showing 9 changed files with 77 additions and 48 deletions.
2 changes: 1 addition & 1 deletion website/content/docs/secure/encryption/index.mdx
Original file line number Diff line number Diff line change
@@ -51,4 +51,4 @@ You can configure mTLS encryption for each protocol separately using the followi
- [`tls.https`](/consul/docs/agent/config/config-files#tls_https) provides settings for the HTTP/HTTPS interface.
- [`tls.grpc`](/consul/docs/agent/config/config-files#tls_grpc) provides settings for the gRPC/xDS interface.

To learn more about enabling mTLS on your Consul datacenter, refer to [Manage mTLS encryption](/consul/docs/security/encryption/mTLS).
To learn more about enabling mTLS on your Consul datacenter, refer to [Manage mTLS encryption](/consul/docs/secure/encryption/mtls).
Original file line number Diff line number Diff line change
@@ -370,36 +370,6 @@ $ systemctl start consul

Your client agents now communicate using mutual TLS encryption.

## Rotate TLS certificates

To maintain the security offered by TLS encryption, we recommend that you rotate TLS certificates often.

TLS certificates are part of [Consul's reloadable configuration](/consul/docs/agent/config#reloadable-configuration), so you do not need to restart the Consul agents when you renew certificates. As a result, there is no risk of downtime.

To rotate certificates for Consul server agents complete the following steps:
1. [Generate new certificates for all server agents](/consul/docs/security/encryption/mtls#create-server-certificates) to replace the old ones.
1. Distribute the new certificates to the server nodes.
1. Reload Consul configuration on each server with the `consul reload` command.

To rotate certificates for Consul client agents complete the following steps:

<Tabs>
<Tab heading="Auto-encryption method" group="auto">

When using the auto-encryption method, Consul automatically rotates the client certificates without operator intervention.

</Tab>

<Tab heading="Operator method" group="manual">

1. [Generate new certificates for all client agents](/consul/docs/security/encryption/mtls#configure-client-agents) to replace the old ones.
1. Distribute the new certificates to the client nodes.
1. Reload Consul configuration on all clients with `consul reload` command.

</Tab>

</Tabs>

## API, CLI, and UI interactions

The configuration snippets provided in this page are valid to configure complete mTLS for your Consul datacenter. This means that all interfaces require the client to provide a valid certificate in order to communicate with the Consul agent. This is valid for all requests, API, CLI, and UI.
Original file line number Diff line number Diff line change
@@ -25,4 +25,4 @@ To explicitly perform server certificate rotation, follow these steps:

This should run the `tls-init` job that will generate new Server certificates.

1. Restart the Server pods following the steps [here](/consul/docs/k8s/upgrade#upgrading-consul-servers).
1. Restart the Server pods following the steps [here](/consul/docs/upgrade/k8s#upgrade-consul-servers).
40 changes: 40 additions & 0 deletions website/content/docs/secure/encryption/tls/rotate/vm.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
layout: docs
page_title: Rotate TLS Certificates for Consul on Virtual machines (VMs)
description: >-
Learn how to manually rotate Consul TLS certificates for server and client agents.
---

# Rotate TLS Certificates for Consul on Virtual machines (VMs)

To maintain the security offered by TLS encryption, we recommend that you rotate TLS certificates often.

TLS certificates are part of [Consul's reloadable configuration](/consul/docs/agent/config#reloadable-configuration), so you do not need to restart the Consul agents when you renew certificates. As a result, there is no risk of downtime.

## Rotate certificates for Consul server agents

To rotate certificates for Consul server agents complete the following steps:
1. [Generate new certificates for all server agents](/consul/docs/security/encryption/mtls#create-server-certificates) to replace the old ones.
1. Distribute the new certificates to the server nodes.
1. Reload Consul configuration on each server with the `consul reload` command.

## Rotate certificates for Consul client agents

To rotate certificates for Consul client agents complete the following steps:

<Tabs>
<Tab heading="Auto-encryption method" group="auto">

When using the auto-encryption method, Consul automatically rotates the client certificates without operator intervention.

</Tab>

<Tab heading="Operator method" group="manual">

1. [Generate new certificates for all client agents](/consul/docs/security/encryption/mtls#configure-client-agents) to replace the old ones.
1. Distribute the new certificates to the client nodes.
1. Reload Consul configuration on all clients with `consul reload` command.

</Tab>

</Tabs>
51 changes: 35 additions & 16 deletions website/data/docs-nav-data.json
Original file line number Diff line number Diff line change
@@ -651,36 +651,55 @@
{
"title": "Encrypt RPC traffic (TLS)",
"routes": [
{
"title": "Overview",
"path": "secure/encryption/tls/mtls"
},
{
"title": "Enable TLS",
"routes": [
{
"title": "Built-in",
"path": "secure/encryption/tls/enable/builtin"
},
{
"title": "OpenSSL",
"path": "secure/encryption/tls/enable/openssl"
"title": "Enable on new datacenters",
"routes": [
{
"title": "Built-in",
"path": "secure/encryption/tls/enable/new/builtin"
},
{
"title": "OpenSSL",
"path": "secure/encryption/tls/enable/new/openssl"
}
]
},
{
"title": "Enable on existing datacenters",
"path": "secure/encryption/tls/enable/existing"
"routes": [
{
"title": "Virtual machines (VMs)",
"path": "secure/encryption/tls/enable/existing/vm"
},
{
"title": "Kubernetes",
"path": "secure/encryption/tls/enable/existing/k8s"
}
]
}
]
},
{
"title": "Rotate certificates",
"path": "secure/encryption/tls/rotate"
},
{
"title": "Rolling updates on Kubernetes",
"path": "secure/encryption/tls/rolling"
"routes": [
{
"title": "Virtual machines (VMs)",
"path": "secure/encryption/tls/rotate/vm"
},
{
"title": "Kubernetes",
"path": "secure/encryption/tls/rotate/k8s"
}
]
}
]
},
{
"title": "Agent mTLS encryption",
"path": "secure/encryption/mtls"
}
]
},

0 comments on commit 449b423

Please sign in to comment.