kURL: How to manually rotate an expired certificate for Envoy

In a kURL installation using Contour, the default generated Envoy certificate expires in a year. In versions of EKCO less than v0.15.0, this certificate was not rotated automatically.

You can verify the expiration of the current Envoy certificate with:

for pod in $(kubectl get pods -n projectcontour -l app=envoy -o=name)
do
   echo $pod
   echo ===============
   echo ca.crt:
   kubectl exec $pod -n projectcontour -c envoy -- openssl x509 -enddate -noout -in /certs/ca.crt
   echo tls.crt:
   kubectl exec $pod -n projectcontour -c envoy -- openssl x509 -enddate -noout -in /certs/tls.crt
done

Use the following steps to rotate this certificate manually:

  1. Delete the secret that holds the gRPC TLS keypair

    kubectl delete secret envoycert -n projectcontour

  2. Backup the existing Contour certificate generation job to a file

    kubectl get jobs -n projectcontour contour-certgen-<version> -o yaml > contour-certgen-<version>.yaml.bak

  3. Create a filed named contour-certgen-<version>.yaml with the contents of the following YAML replacing <version> with your version of contour

apiVersion: batch/v1
kind: Job
metadata:
  name: contour-certgen-<version>
  namespace: projectcontour
spec:
  template:
    metadata:
      labels:
        app: "contour-certgen"
    spec:
      containers:
      - name: contour
        image: projectcontour/contour:<version>
        imagePullPolicy: Always
        command:
        - contour
        - certgen
        - --kube
        - --incluster
        - --overwrite
        - --secrets-format=compact
        - --namespace=$(CONTOUR_NAMESPACE)
        env:
        - name: CONTOUR_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
      restartPolicy: Never
      serviceAccountName: contour-certgen
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
        runAsGroup: 65534
  parallelism: 1
  completions: 1
  backoffLimit: 1
  1. Delete the existing Contour certgen job

    kubectl delete jobs -n projectcontour contour-certgen-<version>

  2. Apply the new YAML to the cluster

    kubectl apply -f contour-certgen-<version>.yaml

  3. Restart Contour/Envoy

    kubectl delete pods -n projectcontour --all