Auto-issue & hot-reload TLS certs for every Consul-registered service, powered by Vault PKI.
- Automatic certificate issuance and renewal for all Consul services
- Integration with HashiCorp Vault PKI
- Configurable renewal window and certificate TTL
- Scheduler for periodic renewal
- Flexible logging
- Enable PKI backend:
vault secrets enable pki vault secrets tune -max-lease-ttl=87600h pki - Generate root CA:
vault write -field=certificate pki/root/generate/internal \ common_name="example.com" ttl=87600h > CA_cert.crt
- Configure URLs:
vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki/crl"
- Create a role:
vault write pki/roles/your-vault-role \ allowed_domains="example.com" \ allow_subdomains=true \ max_ttl="72h" \ allow_any_name=true
- Start Consul agent and register your services as usual.
consul:
address: "localhost:8500"
datacenter: "dc1" // optional
vault:
address: "http://localhost:8200"
role: "your-vault-role"
pki_path: "pki"
token: "root"
certs:
ttl: "24h"
output_dir: "./certs" // you can remove this line if you don't want to save certs to disk
renewal_ttl: "24h" // default 24h
scheduler:
interval: 10s // default 1h
log_level: "info"go build -o updater ./cmd/updater
./updater run --config ./configs/dev.yaml- On start, the app connects to Consul and Vault.
- For each registered Consul service, it checks if a valid certificate exists (locally or in Vault).
- If not, it issues a new certificate via Vault PKI and (optionally) saves it to disk.
- Renewal is performed periodically according to the scheduler interval and renewal_ttl.
- All settings are managed via a YAML config file (see example above).
certs.output_dir: if empty, certificates are not saved to disk.certs.renewal_ttl: how long before expiry to renew certificates.scheduler.interval: how often to check and renew certificates.
- Log level is controlled by
log_levelin config (default: info).
MIT