Skip to content

Commit

Permalink
refactor: support custom gateway cert expiry days. (envoyproxy#2047)
Browse files Browse the repository at this point in the history
* refactor: support custom gateway cert expiry days.

Signed-off-by: qicz <[email protected]>

* fix env

Signed-off-by: qicz <[email protected]>

* update docs

Signed-off-by: qicz <[email protected]>

---------

Signed-off-by: qicz <[email protected]>
  • Loading branch information
qicz authored Oct 23, 2023
1 parent ede2655 commit 6b2c0e6
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 5 deletions.
2 changes: 2 additions & 0 deletions charts/gateway-helm/templates/certgen.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ spec:
fieldPath: metadata.namespace
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ .Values.kubernetesClusterDomain }}
- name: ENVOY_GATEWAY_CERTIFICATE_EXPIRY_DAYS
value: "{{ .Values.deployment.envoyGateway.cert.expiryDays }}"
image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
name: envoy-gateway-certgen
Expand Down
2 changes: 2 additions & 0 deletions charts/gateway-helm/values.tmpl.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
deployment:
envoyGateway:
cert:
expiryDays: 365
image:
repository: ${ImageRepository}
tag: '${ImageTag}'
Expand Down
5 changes: 1 addition & 4 deletions internal/crypto/certgen.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,6 @@ const (
// DefaultEnvoyDNSPrefix defines the default Envoy DNS prefix.
DefaultEnvoyDNSPrefix = "*"

// DefaultCertificateLifetime holds the default certificate lifetime (in days).
DefaultCertificateLifetime = 365

// keySize sets the RSA key size to 2048 bits. This is minimum recommended size
// for RSA keys.
keySize = 2048
Expand Down Expand Up @@ -97,7 +94,7 @@ func GenerateCerts(cfg *config.Server) (*Certificates, error) {
switch certCfg.Provider.Type {
case ProviderTypeEnvoyGateway:
now := time.Now()
expiry := now.Add(24 * time.Duration(DefaultCertificateLifetime) * time.Hour)
expiry := now.Add(24 * time.Duration(cfg.CertificateExpiryDays) * time.Hour)
caCertPEM, caKeyPEM, err := newCA(DefaultEnvoyGatewayDNSPrefix, expiry)
if err != nil {
return nil, err
Expand Down
7 changes: 6 additions & 1 deletion internal/envoygateway/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ const (
EnvoyGatewayServiceName = "envoy-gateway"
// EnvoyPrefix is the prefix applied to the Envoy ConfigMap, Service, Deployment, and ServiceAccount.
EnvoyPrefix = "envoy"
// DefaultCertificateExpiryDays holds the default certificate lifetime (in days).
DefaultCertificateExpiryDays = 365
)

// Server wraps the EnvoyGateway configuration and additional parameters
Expand All @@ -36,6 +38,8 @@ type Server struct {
DNSDomain string
// Logger is the logr implementation used by Envoy Gateway.
Logger logging.Logger
// CertificateExpiryDays holds the certificate lifetime (in days).
CertificateExpiryDays int
}

// New returns a Server with default parameters.
Expand All @@ -45,7 +49,8 @@ func New() (*Server, error) {
Namespace: env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace),
DNSDomain: env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain),
// the default logger
Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo),
Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo),
CertificateExpiryDays: env.Lookup("ENVOY_GATEWAY_CERTIFICATE_EXPIRY_DAYS", DefaultCertificateExpiryDays),
}, nil
}

Expand Down
1 change: 1 addition & 0 deletions site/content/en/latest/install/api.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ The Helm chart for Envoy Gateway
| config.envoyGateway.logging.level.default | string | `"info"` | |
| config.envoyGateway.provider.type | string | `"Kubernetes"` | |
| createNamespace | bool | `false` | |
| deployment.envoyGateway.cert.expiryDays | int | `365` | |
| deployment.envoyGateway.image.repository | string | `"${ImageRepository}"` | |
| deployment.envoyGateway.image.tag | string | `"${ImageTag}"` | |
| deployment.envoyGateway.imagePullPolicy | string | `"Always"` | |
Expand Down

0 comments on commit 6b2c0e6

Please sign in to comment.