Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update deployment to use rotatable bootstrap config #2524

Closed
jpeach opened this issue May 14, 2020 · 0 comments · Fixed by #2553
Closed

Update deployment to use rotatable bootstrap config #2524

jpeach opened this issue May 14, 2020 · 0 comments · Fixed by #2553
Labels
area/deployment Issues or PRs related to deployment tooling or infrastructure. lifecycle/accepted Denotes an issue that has been triaged and determined to be valid. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Comments

@jpeach
Copy link
Contributor

jpeach commented May 14, 2020

Please describe the problem you have

Update the default deployment YAML to generate an Envoy bootstrap that is able to rotate xDS certificates (as per #2333)
@jpeach jpeach mentioned this issue May 14, 2020
Closed
7 tasks
@jpeach jpeach added release-note Denotes a PR that will be considered when it comes time to generate release notes. area/deployment Issues or PRs related to deployment tooling or infrastructure. lifecycle/accepted Denotes an issue that has been triaged and determined to be valid. labels May 14, 2020
jpeach added a commit to jpeach/contour that referenced this issue May 27, 2020
@jpeach
examples/contour: switch to reloadable xDS certificates
acdbb92 
Switch the certgen xDS certificate generation over to using certificates
that are compatible with certificate-manager. This requires the certgen
job to run again, which means we have to give is a unique name. Using
a version-locked name will let it run on each upgrade, which will have
the beneficial side-effect of rotating the xDS certificates.

The envoy and contour pods will restart because the secrets mounts change,
but they will restart at release time anyway because the container image
will change.

After this change, re-running certgen to rotate the xDS certificates
will not require restarting and pods.

This fixes projectcontour#2524.
This updates projectcontour#2143.

Signed-off-by: James Peach <[email protected]>
@jpeach jpeach mentioned this issue May 27, 2020
Merged
jpeach added a commit to jpeach/contour that referenced this issue May 27, 2020
@jpeach
examples/contour: switch to reloadable xDS certificates
c260f4f 
Switch the certgen xDS certificate generation over to using certificates
that are compatible with certificate-manager. This requires the certgen
job to run again, which means we have to give is a unique name. Using
a version-locked name will let it run on each upgrade, which will have
the beneficial side-effect of rotating the xDS certificates.

The envoy and contour pods will restart because the secrets mounts change,
but they will restart at release time anyway because the container image
will change.

After this change, re-running certgen to rotate the xDS certificates
will not require restarting and pods.

This fixes projectcontour#2524.
This updates projectcontour#2143.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue May 28, 2020
@jpeach
examples/contour: switch to reloadable xDS certificates
3a5e3b6 
Switch the certgen xDS certificate generation over to using certificates
that are compatible with certificate-manager. This requires the certgen
job to run again, which means we have to give is a unique name. Using
a version-locked name will let it run on each upgrade, which will have
the beneficial side-effect of rotating the xDS certificates.

The envoy and contour pods will restart because the secrets mounts change,
but they will restart at release time anyway because the container image
will change.

After this change, re-running certgen to rotate the xDS certificates
will not require restarting and pods.

This fixes projectcontour#2524.
This updates projectcontour#2143.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue May 28, 2020
@jpeach
examples/contour: switch to reloadable xDS certificates
fe27f43 
Switch the certgen xDS certificate generation over to using certificates
that are compatible with certificate-manager. This requires the certgen
job to run again, which means we have to give is a unique name. Using
a version-locked name will let it run on each upgrade, which will have
the beneficial side-effect of rotating the xDS certificates.

The envoy and contour pods will restart because the secrets mounts change,
but they will restart at release time anyway because the container image
will change.

After this change, re-running certgen to rotate the xDS certificates
will not require restarting and pods.

This fixes projectcontour#2524.
This updates projectcontour#2143.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue May 28, 2020
@jpeach
examples/contour: switch to reloadable xDS certificates
aaece41 
Switch the certgen xDS certificate generation over to using certificates
that are compatible with certificate-manager. This requires the certgen
job to run again, which means we have to give it a unique name. Using
a version-locked name will let it run on each upgrade, which will have
the beneficial side-effect of rotating the xDS certificates.

The envoy and contour pods will restart because the secrets mounts change,
but they will restart at release time anyway because the container image
will change.

After this change, re-running certgen to rotate the xDS certificates
will not require restarting and pods.

This fixes projectcontour#2524.
This updates projectcontour#2143.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue May 28, 2020
@jpeach
examples/contour: switch to reloadable xDS certificates
0df2b53 
Switch the certgen xDS certificate generation over to using certificates
that are compatible with certificate-manager. This requires the certgen
job to run again, which means we have to give it a unique name. Using
a version-locked name will let it run on each upgrade, which will have
the beneficial side-effect of rotating the xDS certificates.

The envoy and contour pods will restart because the secrets mounts change,
but they will restart at release time anyway because the container image
will change.

After this change, re-running certgen to rotate the xDS certificates
will not require restarting and pods.

This fixes projectcontour#2524.
This updates projectcontour#2143.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit that referenced this issue May 28, 2020
@jpeach
examples/contour: switch to reloadable xDS certificates (#2553)
cb946bd 
Switch the certgen xDS certificate generation over to using certificates
that are compatible with certificate-manager. This requires the certgen
job to run again, which means we have to give it a unique name. Using
a version-locked name will let it run on each upgrade, which will have
the beneficial side-effect of rotating the xDS certificates.

The envoy and contour pods will restart because the secrets mounts change,
but they will restart at release time anyway because the container image
will change.

After this change, re-running certgen to rotate the xDS certificates
will not require restarting and pods.

This fixes #2524.
This updates #2143.

Signed-off-by: James Peach <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/deployment Issues or PRs related to deployment tooling or infrastructure. lifecycle/accepted Denotes an issue that has been triaged and determined to be valid. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

examples/contour: switch to reloadable xDS certificates jpeach/contour
1 participant
@jpeach