Default ctrl plane cert expiry time to 5 years (#2175)

* Revert "refactor: support custom gateway cert expiry days. (#2047)"

This reverts commit 6b2c0e6.

Signed-off-by: Arko Dasgupta <arko@tetrate.io>

* Default cert expire time to 5 years

Signed-off-by: Arko Dasgupta <arko@tetrate.io>

* fix overWriteControlPlaneCerts field

Signed-off-by: Arko Dasgupta <arko@tetrate.io>

* make generate

Signed-off-by: Arko Dasgupta <arko@tetrate.io>

---------

Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Co-authored-by: zirain <zirain2009@gmail.com>

api/v1alpha1/envoygateway_types.go

@@ -192,7 +192,8 @@ type EnvoyGatewayKubernetesProvider struct {
 	// +optional
 	Deploy *KubernetesDeployMode `json:"deploy,omitempty"`
 	// OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set.
-	OverwriteControlPlaneCerts bool `json:"overwrite_control_plane_certs,omitempty"`
+	// +optional
+	OverwriteControlPlaneCerts *bool `json:"overwriteControlPlaneCerts,omitempty"`
 }
 
 const (

charts/gateway-helm/templates/certgen.yaml

@@ -31,8 +31,6 @@ spec:
               fieldPath: metadata.namespace
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ .Values.kubernetesClusterDomain }}
-        - name: ENVOY_GATEWAY_CERTIFICATE_EXPIRY_DAYS
-          value: "{{ .Values.deployment.envoyGateway.cert.expiryDays }}"
         image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
         imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
         name: envoy-gateway-certgen

charts/gateway-helm/values.tmpl.yaml

@@ -1,7 +1,5 @@
 deployment:
   envoyGateway:
-    cert:
-      expiryDays: 365
     image:
       repository: ${ImageRepository}
       tag: '${ImageTag}'

internal/cmd/certgen.go

@@ -66,7 +66,8 @@ func outputCerts(ctx context.Context, cli client.Client, cfg *config.Server, cer
 	if cfg.EnvoyGateway != nil &&
 		cfg.EnvoyGateway.Provider != nil &&
 		cfg.EnvoyGateway.Provider.Kubernetes != nil &&
-		cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts {
+		cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts != nil &&
+		*cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts {
 		updateSecrets = true
 	}
 	secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.Namespace, certs), updateSecrets)

internal/crypto/certgen.go

@@ -28,6 +28,9 @@ const (
 	// DefaultEnvoyDNSPrefix defines the default Envoy DNS prefix.
 	DefaultEnvoyDNSPrefix = "*"
 
+	// DefaultCertificateLifetime holds the default certificate lifetime (in days).
+	DefaultCertificateLifetime = 365 * 5
+
 	// keySize sets the RSA key size to 2048 bits. This is minimum recommended size
 	// for RSA keys.
 	keySize = 2048
@@ -94,7 +97,7 @@ func GenerateCerts(cfg *config.Server) (*Certificates, error) {
 	switch certCfg.Provider.Type {
 	case ProviderTypeEnvoyGateway:
 		now := time.Now()
-		expiry := now.Add(24 * time.Duration(cfg.CertificateExpiryDays) * time.Hour)
+		expiry := now.Add(24 * time.Duration(DefaultCertificateLifetime) * time.Hour)
 		caCertPEM, caKeyPEM, err := newCA(DefaultEnvoyGatewayDNSPrefix, expiry)
 		if err != nil {
 			return nil, err

internal/envoygateway/config/config.go

@@ -23,8 +23,6 @@ const (
 	EnvoyGatewayServiceName = "envoy-gateway"
 	// EnvoyPrefix is the prefix applied to the Envoy ConfigMap, Service, Deployment, and ServiceAccount.
 	EnvoyPrefix = "envoy"
-	// DefaultCertificateExpiryDays holds the default certificate lifetime (in days).
-	DefaultCertificateExpiryDays = 365
 )
 
 // Server wraps the EnvoyGateway configuration and additional parameters
@@ -38,8 +36,6 @@ type Server struct {
 	DNSDomain string
 	// Logger is the logr implementation used by Envoy Gateway.
 	Logger logging.Logger
-	// CertificateExpiryDays holds the certificate lifetime (in days).
-	CertificateExpiryDays int
 }
 
 // New returns a Server with default parameters.
@@ -49,8 +45,7 @@ func New() (*Server, error) {
 		Namespace:    env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace),
 		DNSDomain:    env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain),
 		// the default logger
-		Logger:                logging.DefaultLogger(v1alpha1.LogLevelInfo),
-		CertificateExpiryDays: env.Lookup("ENVOY_GATEWAY_CERTIFICATE_EXPIRY_DAYS", DefaultCertificateExpiryDays),
+		Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo),
 	}, nil
 }
 

site/content/en/latest/api/extension_types.md

@@ -363,7 +363,7 @@ _Appears in:_
 | `rateLimitDeployment` _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource. If unspecified, default settings for the managed Envoy ratelimit deployment resource are applied. |
 | `watch` _[KubernetesWatchMode](#kuberneteswatchmode)_ | Watch holds configuration of which input resources should be watched and reconciled. |
 | `deploy` _[KubernetesDeployMode](#kubernetesdeploymode)_ | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane should be deployed |
-| `overwrite_control_plane_certs` _boolean_ | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
+| `overwriteControlPlaneCerts` _boolean_ | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. |
 
 
 #### EnvoyGatewayLogComponent

site/content/en/latest/install/api.md

@@ -32,7 +32,6 @@ The Helm chart for Envoy Gateway
 | config.envoyGateway.logging.level.default | string | `"info"` |  |
 | config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
 | createNamespace | bool | `false` |  |
-| deployment.envoyGateway.cert.expiryDays | int | `365` |  |
 | deployment.envoyGateway.image.repository | string | `"${ImageRepository}"` |  |
 | deployment.envoyGateway.image.tag | string | `"${ImageTag}"` |  |
 | deployment.envoyGateway.imagePullPolicy | string | `"Always"` |  |