I want to use hashicorp vault to manage logstash ssl certs on kubernetes.
I am using logstash helm chart --version 7.10.1
These pod annotations work as expected:
podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/auth-path: "auth/eks"
vault.hashicorp.com/role: "devweb-app"
vault.hashicorp.com/agent-inject-secret-ca.crt: ""
vault.hashicorp.com/agent-inject-template-ca.crt: |
{{- with secret "pki_int/issue/elk" "common_name=logstash.example.com" "private_key_format=pkcs8" "ttl=1h" -}}
{{ .Data.issuing_ca }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-server.key: ""
vault.hashicorp.com/agent-inject-template-server.key: |
{{- with secret "pki_int/issue/elk" "common_name=logstash.example.com" "private_key_format=pkcs8" "ttl=1h" -}}
{{ .Data.private_key }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-server.crt: ""
vault.hashicorp.com/agent-inject-template-server.crt: |
{{- with secret "pki_int/issue/elk" "common_name=logstash.example.com" "private_key_format=pkcs8" "ttl=1h" -}}
{{ .Data.certificate }}
{{- end }}
The problem is when logstash container gets new certs, there is no way to tell logstash to use new certs. I have tried documented ways to reload configs: https://www.elastic.co/guide/en/logstash/current/reloading-config.html
but these apply only for config, new ssl certs are not being used.
Is there some way to make logstash aware of ssl cert rotation?