## Overview The TLS CA certificates for Consul in `db-benchmarking`, `gstg` and `gprd` expire in June/July 2030: ```shell $ kubectl --context gke_gitlab-production_us-east1_gprd-gitlab-gke --namespace consul get secret consul-tls-v2 --output jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -noout -subject -dates subject=C=US, ST=CA, L=San Francisco, street=101 Second Street, postalCode=94105, O=HashiCorp Inc., CN=Consul Agent CA 102686053279227749328233714366723921396 notBefore=Jul 8 09:19:15 2025 GMT notAfter=Jul 7 09:19:15 2030 GMT $ kubectl --context gke_gitlab-staging-1_us-east1_gstg-gitlab-gke --namespace consul get secret consul-tls-v2 --output jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -noout -subject -dates subject=C=US, ST=CA, L=San Francisco, street=101 Second Street, postalCode=94105, O=HashiCorp Inc., CN=Consul Agent CA 241485822118155182521841573029583946496 notBefore=Jun 25 05:08:07 2025 GMT notAfter=Jun 24 05:08:07 2030 GMT $ kubectl --context gke_gitlab-db-benchmarking_us-east1_db-benchmarking-gitlab-gke --namespace consul get secret consul-tls-v2 --output jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -noout -subject -dates subject=C=US, ST=CA, L=San Francisco, street=101 Second Street, postalCode=94105, O=HashiCorp Inc., CN=Consul Agent CA 241485822118155182521841573029583946496 notBefore=Jun 23 06:40:52 2025 GMT notAfter=Jun 22 06:40:52 2030 GMT ``` They need to be renewed before then. Runbook: https://runbooks.gitlab.com/consul/ See previous issue from last renewal in 2025: https://gitlab.com/gitlab-com/gl-infra/production-engineering/-/issues/25974 ## Exit criteria For each environment in `db-benmchmarking`, `gstg`, `gprd`: * [ ] The Consul cluster is using a certificate with an expiration date 5+ years in the future * [ ] The Consul clients on VMs are using a certificate with an expiration date 2+ years in the future * [ ] The Consul runbooks is up-to-date about how to renew the Consul certificates