Nomad
Command: operator root keyring rotate
The operator root keyring rotate
command generates a new encryption key for
all future variables.
If ACLs are enabled, this command requires a management token.
Usage
nomad operator root keyring rotate [options]
General Options
-address=<addr>
: The address of the Nomad server. Overrides theNOMAD_ADDR
environment variable if set. Defaults tohttp://127.0.0.1:4646
.-region=<region>
: The region of the Nomad server to forward commands to. Overrides theNOMAD_REGION
environment variable if set. Defaults to the Agent's local region.-namespace=<namespace>
: The target namespace for queries and actions bound to a namespace. Overrides theNOMAD_NAMESPACE
environment variable if set. If set to'*'
, subcommands which support this functionality query all namespaces authorized to user. Defaults to the "default" namespace.-no-color
: Disables colored command output. Alternatively,NOMAD_CLI_NO_COLOR
may be set. This option takes precedence over-force-color
.-force-color
: Forces colored command output. This can be used in cases where the usual terminal detection fails. Alternatively,NOMAD_CLI_FORCE_COLOR
may be set. This option has no effect if-no-color
is also used.-ca-cert=<path>
: Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. Overrides theNOMAD_CACERT
environment variable if set.-ca-path=<path>
: Path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate. If both-ca-cert
and-ca-path
are specified,-ca-cert
is used. Overrides theNOMAD_CAPATH
environment variable if set.-client-cert=<path>
: Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify-client-key
. Overrides theNOMAD_CLIENT_CERT
environment variable if set.-client-key=<path>
: Path to an unencrypted PEM encoded private key matching the client certificate from-client-cert
. Overrides theNOMAD_CLIENT_KEY
environment variable if set.-tls-server-name=<value>
: The server name to use as the SNI host when connecting via TLS. Overrides theNOMAD_TLS_SERVER_NAME
environment variable if set.-tls-skip-verify
: Do not verify TLS certificate. This is highly not recommended. Verification will also be skipped ifNOMAD_SKIP_VERIFY
is set.-token
: The SecretID of an ACL token to use to authenticate API requests with. Overrides theNOMAD_TOKEN
environment variable if set.
Rotate Options
-full
: Decrypt all existing variables and re-encrypt with the new key. This command will immediately return and the re-encryption process will run asynchronously on the leader.-now
: Publish the new key immediately without prepublishing. One of-now
or-prepublish
must be set.-prepublish
: Set a duration for which to prepublish the new key (ex. "1h"). The currently active key will be unchanged but the new public key will be available in the JWKS endpoint. Multiple keys can be prepublished and they will be promoted to active in order of publish time, at most once everyroot_key_gc_interval
. One of-now
or-prepublish
must be set.-verbose
: Enable verbose output
Examples
$ nomad operator root keyring rotate -now
Key State Create Time Publish Time
f19f6029 active 2022-07-11T19:14:36Z <none>
$ nomad operator root keyring rotate -now -verbose
Key State Create Time Publish Time
53186ac1-9002-c4b6-216d-bb19fd37a791 active 2022-07-11T19:14:47Z <none>
$ nomad operator root keyring rotate -prepublish 1h
Key State Create Time Publish Time
7f15e4e9 active 2022-07-11T19:15:10Z 2022-07-11T20:15:10Z