In a kURL installation using Contour, the default generated Envoy certificate expires in a year. In versions of EKCO less than v0.15.0, this certificate was not rotated automatically.
You can verify the expiration of the current Envoy certificate with:
for pod in $(kubectl get pods -n projectcontour -l app=envoy -o=name)
do
echo $pod
echo ===============
echo ca.crt:
kubectl exec $pod -n projectcontour -c envoy -- openssl x509 -enddate -noout -in /certs/ca.crt
echo tls.crt:
kubectl exec $pod -n projectcontour -c envoy -- openssl x509 -enddate -noout -in /certs/tls.crt
done
Use the following steps to rotate this certificate manually:
-
Delete the secret that holds the gRPC TLS keypair
kubectl delete secret envoycert -n projectcontour
-
Backup the existing Contour certificate generation job to a file
kubectl get jobs -n projectcontour contour-certgen-<version> -o yaml > contour-certgen-<version>.yaml.bak
-
Create a filed named
contour-certgen-<version>.yamlwith the contents of the following YAML replacing<version>with your version of contour
apiVersion: batch/v1
kind: Job
metadata:
name: contour-certgen-<version>
namespace: projectcontour
spec:
template:
metadata:
labels:
app: "contour-certgen"
spec:
containers:
- name: contour
image: projectcontour/contour:<version>
imagePullPolicy: IfNotPresent
command:
- contour
- certgen
- --kube
- --incluster
- --overwrite
- --secrets-format=compact
- --namespace=$(CONTOUR_NAMESPACE)
env:
- name: CONTOUR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: Never
serviceAccountName: contour-certgen
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
parallelism: 1
completions: 1
backoffLimit: 1
-
Delete the existing Contour certgen job
kubectl delete jobs -n projectcontour contour-certgen-<version>
-
Apply the new YAML to the cluster
kubectl apply -f contour-certgen-<version>.yaml
-
Restart Contour/Envoy
kubectl delete pods -n projectcontour --all