diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 4d49597fec0..e59981bc0f6 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -31,6 +31,8 @@ spec: fieldPath: metadata.namespace - name: KUBERNETES_CLUSTER_DOMAIN value: {{ .Values.kubernetesClusterDomain }} + - name: ENVOY_GATEWAY_CERTIFICATE_EXPIRY_DAYS + value: "{{ .Values.deployment.envoyGateway.cert.expiryDays }}" image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }} name: envoy-gateway-certgen diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index d4836f96c79..ce5519ae040 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -1,5 +1,7 @@ deployment: envoyGateway: + cert: + expiryDays: 365 image: repository: ${ImageRepository} tag: '${ImageTag}' diff --git a/internal/crypto/certgen.go b/internal/crypto/certgen.go index 08ce6d63ec5..e347639ff13 100644 --- a/internal/crypto/certgen.go +++ b/internal/crypto/certgen.go @@ -28,9 +28,6 @@ const ( // DefaultEnvoyDNSPrefix defines the default Envoy DNS prefix. DefaultEnvoyDNSPrefix = "*" - // DefaultCertificateLifetime holds the default certificate lifetime (in days). - DefaultCertificateLifetime = 365 - // keySize sets the RSA key size to 2048 bits. This is minimum recommended size // for RSA keys. keySize = 2048 @@ -97,7 +94,7 @@ func GenerateCerts(cfg *config.Server) (*Certificates, error) { switch certCfg.Provider.Type { case ProviderTypeEnvoyGateway: now := time.Now() - expiry := now.Add(24 * time.Duration(DefaultCertificateLifetime) * time.Hour) + expiry := now.Add(24 * time.Duration(cfg.CertificateExpiryDays) * time.Hour) caCertPEM, caKeyPEM, err := newCA(DefaultEnvoyGatewayDNSPrefix, expiry) if err != nil { return nil, err diff --git a/internal/envoygateway/config/config.go b/internal/envoygateway/config/config.go index 4c9674a88b4..259f0d56368 100644 --- a/internal/envoygateway/config/config.go +++ b/internal/envoygateway/config/config.go @@ -23,6 +23,8 @@ const ( EnvoyGatewayServiceName = "envoy-gateway" // EnvoyPrefix is the prefix applied to the Envoy ConfigMap, Service, Deployment, and ServiceAccount. EnvoyPrefix = "envoy" + // DefaultCertificateExpiryDays holds the default certificate lifetime (in days). + DefaultCertificateExpiryDays = 365 ) // Server wraps the EnvoyGateway configuration and additional parameters @@ -36,6 +38,8 @@ type Server struct { DNSDomain string // Logger is the logr implementation used by Envoy Gateway. Logger logging.Logger + // CertificateExpiryDays holds the certificate lifetime (in days). + CertificateExpiryDays int } // New returns a Server with default parameters. @@ -45,7 +49,8 @@ func New() (*Server, error) { Namespace: env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace), DNSDomain: env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain), // the default logger - Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo), + Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo), + CertificateExpiryDays: env.Lookup("ENVOY_GATEWAY_CERTIFICATE_EXPIRY_DAYS", DefaultCertificateExpiryDays), }, nil } diff --git a/site/content/en/latest/install/api.md b/site/content/en/latest/install/api.md index d1a2b660189..f6c859863b0 100644 --- a/site/content/en/latest/install/api.md +++ b/site/content/en/latest/install/api.md @@ -32,6 +32,7 @@ The Helm chart for Envoy Gateway | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | | createNamespace | bool | `false` | | +| deployment.envoyGateway.cert.expiryDays | int | `365` | | | deployment.envoyGateway.image.repository | string | `"${ImageRepository}"` | | | deployment.envoyGateway.image.tag | string | `"${ImageTag}"` | | | deployment.envoyGateway.imagePullPolicy | string | `"Always"` | |