Skip to main content
Version: 5.17.0

Updating Root CAs for Nodes

Structsure's IAC has first-class support for adding new Certificate Authorities to the host OS trust store.

Prerequisites

Gather the root CA certificates you'd like to add, and Base64-encode the PEM-encoded files.

base64 -i ca.pem -o ca.b64

Updating the Configuration

Our supported cluster Terragrunt modules all accept a root_cas input variable which is a list of named certificates in Base64 format. Structsure will decode the certificates and add them to the trust store on node initialization.

The CAs are specified in your env.hcl file like so:

locals {
cluster_inputs = {
root_cas = [
{
name = "root-ca-1"
cert = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWkRDQ0Ewe..."
}
]
}
}

Terragrunt Apply

Once the necessary configuration values are updated, be sure to run terragrunt apply to create a new launch template version and apply the change. To do this, run terragrunt init and terragrunt apply through the same process (and using the same values) as when initially created.

In the change set for the terragrunt apply, new launch template versions will be generated for both the control plane and agent nodes containing the new certificate configuration.

Node Rotation

For EKS, the nodes will drain and cycle automatically. For RKE2, follow the instructions in How to Update RKE2.