Update cert creation instruction for Federation

The Server certificates used for Federation require the node name in the form of `<node>.server.<dc>.<domain>`. Not having this would through `bad tls certificate` error.

* Fixed cert create command
* Added note to create a wildcard cert (like the ones on Kubernetes)
* Fixed numbering
This commit is contained in:
Ranjandas 2021-03-02 09:39:46 +11:00 committed by GitHub
parent 3ab16c8402
commit 3790770af6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions

View File

@ -31,7 +31,7 @@ kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' |
base64 -D > consul-agent-ca.pem
```
and the certificate authority signing key:
2. The certificate authority signing key:
```sh
kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' |
@ -47,7 +47,7 @@ You can use the `consul tls` commands to generate those certificates:
```sh
# NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current
# directory.
$ consul tls cert create -server -dc=vm-dc
$ consul tls cert create -server -dc=vm-dc -node <node_name>
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
@ -57,6 +57,8 @@ $ consul tls cert create -server -dc=vm-dc
==> Saved vm-dc-server-consul-0-key.pem
```
-> Note the `node` option in the above command. This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, use `-node "*"` instead.
See the help for output of `consul tls cert create -h` to see more options
for generating server certificates.