Skip to content

Commit

Permalink
examples/contour: switch to reloadable xDS certificates
Browse files Browse the repository at this point in the history 
Switch the certgen xDS certificate generation over to using certificates
that are compatible with certificate-manager. This requires the certgen
job to run again, which means we have to give it a unique name. Using
a version-locked name will let it run on each upgrade, which will have
the beneficial side-effect of rotating the xDS certificates.

The envoy and contour pods will restart because the secrets mounts change,
but they will restart at release time anyway because the container image
will change.

After this change, re-running certgen to rotate the xDS certificates
will not require restarting and pods.

This fixes projectcontour#2524.
This updates projectcontour#2143.

Signed-off-by: James Peach <[email protected]>
  • Loading branch information
@jpeach
jpeach committed May 28, 2020
1 parent 5a3ac75 commit 0df2b53
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 37 deletions.
2 changes: 1 addition & 1 deletion .travis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
- $HOME/bin/kind create cluster --wait 2m
- $HOME/bin/kind load docker-image docker.io/projectcontour/contour:master
- $HOME/bin/kind load docker-image docker.io/projectcontour/contour:latest
- $HOME/bin/kubectl apply -f examples/render/contour.yaml
- '$HOME/bin/kubectl apply -f <(sed "s/imagePullPolicy: Always/imagePullPolicy: IfNotPresent/g" < examples/render/contour.yaml)'
- $HOME/bin/kubectl wait --timeout=2m -n projectcontour -l app=contour deployments --for=condition=Available
- $HOME/bin/kubectl wait --timeout=2m -n projectcontour -l app=envoy pods --for=condition=Ready
- $HOME/bin/kind delete cluster
Expand Down
6 changes: 4 additions & 2 deletions examples/contour/02-job-certgen.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ rules:
apiVersion: batch/v1
kind: Job
metadata:
name: contour-certgen
name: contour-certgen-v1.5.0
namespace: projectcontour
spec:
ttlSecondsAfterFinished: 0
Expand All @@ -56,8 +56,10 @@ spec:
command:
- contour
- certgen
- --incluster
- --kube
- --incluster
- --overwrite
- --secrets-format=compact
- --namespace=$(CONTOUR_NAMESPACE)
env:
- name: CONTOUR_NAMESPACE
Expand Down
8 changes: 1 addition & 7 deletions examples/contour/03-contour.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ spec:
- --xds-port=8001
- --envoy-service-http-port=80
- --envoy-service-https-port=443
- --contour-cafile=/ca/cacert.pem
- --contour-cafile=/certs/ca.crt
- --contour-cert-file=/certs/tls.crt
- --contour-key-file=/certs/tls.key
- --config-path=/config/contour.yaml
Expand Down Expand Up @@ -70,9 +70,6 @@ spec:
- name: contourcert
mountPath: /certs
readOnly: true
- name: cacert
mountPath: /ca
readOnly: true
- name: contour-config
mountPath: /config
readOnly: true
Expand All @@ -97,9 +94,6 @@ spec:
- name: contourcert
secret:
secretName: contourcert
- name: cacert
secret:
secretName: cacert
- name: contour-config
configMap:
name: contour
Expand Down
11 changes: 2 additions & 9 deletions examples/contour/03-envoy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,6 @@ spec:
mountPath: /config
- name: envoycert
mountPath: /certs
- name: cacert
mountPath: /ca
lifecycle:
preStop:
httpGet:
Expand All @@ -100,7 +98,8 @@ spec:
- /config/envoy.json
- --xds-address=contour
- --xds-port=8001
- --envoy-cafile=/ca/cacert.pem
- --resources-dir=/config/resources
- --envoy-cafile=/certs/ca.crt
- --envoy-cert-file=/certs/tls.crt
- --envoy-key-file=/certs/tls.key
command:
Expand All @@ -114,9 +113,6 @@ spec:
- name: envoycert
mountPath: /certs
readOnly: true
- name: cacert
mountPath: /ca
readOnly: true
env:
- name: CONTOUR_NAMESPACE
valueFrom:
Expand All @@ -130,7 +126,4 @@ spec:
- name: envoycert
secret:
secretName: envoycert
- name: cacert
secret:
secretName: cacert
restartPolicy: Always
25 changes: 7 additions & 18 deletions examples/render/contour.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1439,7 +1439,7 @@ rules:
apiVersion: batch/v1
kind: Job
metadata:
name: contour-certgen
name: contour-certgen-v1.5.0
namespace: projectcontour
spec:
ttlSecondsAfterFinished: 0
Expand All @@ -1459,8 +1459,10 @@ spec:
command:
- contour
- certgen
- --incluster
- --kube
- --incluster
- --overwrite
- --secrets-format=compact
- --namespace=$(CONTOUR_NAMESPACE)
env:
- name: CONTOUR_NAMESPACE
Expand Down Expand Up @@ -1696,7 +1698,7 @@ spec:
- --xds-port=8001
- --envoy-service-http-port=80
- --envoy-service-https-port=443
- --contour-cafile=/ca/cacert.pem
- --contour-cafile=/certs/ca.crt
- --contour-cert-file=/certs/tls.crt
- --contour-key-file=/certs/tls.key
- --config-path=/config/contour.yaml
Expand Down Expand Up @@ -1724,9 +1726,6 @@ spec:
- name: contourcert
mountPath: /certs
readOnly: true
- name: cacert
mountPath: /ca
readOnly: true
- name: contour-config
mountPath: /config
readOnly: true
Expand All @@ -1751,9 +1750,6 @@ spec:
- name: contourcert
secret:
secretName: contourcert
- name: cacert
secret:
secretName: cacert
- name: contour-config
configMap:
name: contour
Expand Down Expand Up @@ -1849,8 +1845,6 @@ spec:
mountPath: /config
- name: envoycert
mountPath: /certs
- name: cacert
mountPath: /ca
lifecycle:
preStop:
httpGet:
Expand All @@ -1863,7 +1857,8 @@ spec:
- /config/envoy.json
- --xds-address=contour
- --xds-port=8001
- --envoy-cafile=/ca/cacert.pem
- --resources-dir=/config/resources
- --envoy-cafile=/certs/ca.crt
- --envoy-cert-file=/certs/tls.crt
- --envoy-key-file=/certs/tls.key
command:
Expand All @@ -1877,9 +1872,6 @@ spec:
- name: envoycert
mountPath: /certs
readOnly: true
- name: cacert
mountPath: /ca
readOnly: true
env:
- name: CONTOUR_NAMESPACE
valueFrom:
Expand All @@ -1893,7 +1885,4 @@ spec:
- name: envoycert
secret:
secretName: envoycert
- name: cacert
secret:
secretName: cacert
restartPolicy: Always

0 comments on commit 0df2b53

Please sign in to comment.