From f92da904d8f09b622a3d00445d537593a30c7868 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 13 Nov 2023 17:39:05 -0800 Subject: [PATCH] Default ctrl plane cert expiry time to 5 years (#2175) * Revert "refactor: support custom gateway cert expiry days. (#2047)" This reverts commit 6b2c0e68918fa6d291241fa98738028bf80a8e89. Signed-off-by: Arko Dasgupta * Default cert expire time to 5 years Signed-off-by: Arko Dasgupta * fix overWriteControlPlaneCerts field Signed-off-by: Arko Dasgupta * make generate Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta Co-authored-by: zirain --- api/v1alpha1/envoygateway_types.go | 3 ++- api/v1alpha1/zz_generated.deepcopy.go | 5 +++++ charts/gateway-helm/templates/certgen.yaml | 2 -- charts/gateway-helm/values.tmpl.yaml | 2 -- internal/cmd/certgen.go | 3 ++- internal/crypto/certgen.go | 5 ++++- internal/envoygateway/config/config.go | 7 +------ site/content/en/latest/api/extension_types.md | 2 +- site/content/en/latest/install/api.md | 1 - 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go index 88357b12e6b..d479d3f7f9e 100644 --- a/api/v1alpha1/envoygateway_types.go +++ b/api/v1alpha1/envoygateway_types.go @@ -192,7 +192,8 @@ type EnvoyGatewayKubernetesProvider struct { // +optional Deploy *KubernetesDeployMode `json:"deploy,omitempty"` // OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. - OverwriteControlPlaneCerts bool `json:"overwrite_control_plane_certs,omitempty"` + // +optional + OverwriteControlPlaneCerts *bool `json:"overwriteControlPlaneCerts,omitempty"` } const ( diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 9054a1e40bd..0f946420069 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -498,6 +498,11 @@ func (in *EnvoyGatewayKubernetesProvider) DeepCopyInto(out *EnvoyGatewayKubernet *out = new(KubernetesDeployMode) **out = **in } + if in.OverwriteControlPlaneCerts != nil { + in, out := &in.OverwriteControlPlaneCerts, &out.OverwriteControlPlaneCerts + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyGatewayKubernetesProvider. diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index e59981bc0f6..4d49597fec0 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -31,8 +31,6 @@ spec: fieldPath: metadata.namespace - name: KUBERNETES_CLUSTER_DOMAIN value: {{ .Values.kubernetesClusterDomain }} - - name: ENVOY_GATEWAY_CERTIFICATE_EXPIRY_DAYS - value: "{{ .Values.deployment.envoyGateway.cert.expiryDays }}" image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }} name: envoy-gateway-certgen diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index b4236aa37c8..a65b0233bc4 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -1,7 +1,5 @@ deployment: envoyGateway: - cert: - expiryDays: 365 image: repository: ${ImageRepository} tag: '${ImageTag}' diff --git a/internal/cmd/certgen.go b/internal/cmd/certgen.go index 71ec551a7b6..83dafca8440 100644 --- a/internal/cmd/certgen.go +++ b/internal/cmd/certgen.go @@ -66,7 +66,8 @@ func outputCerts(ctx context.Context, cli client.Client, cfg *config.Server, cer if cfg.EnvoyGateway != nil && cfg.EnvoyGateway.Provider != nil && cfg.EnvoyGateway.Provider.Kubernetes != nil && - cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts { + cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts != nil && + *cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts { updateSecrets = true } secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.Namespace, certs), updateSecrets) diff --git a/internal/crypto/certgen.go b/internal/crypto/certgen.go index e347639ff13..4f0e86f6bfc 100644 --- a/internal/crypto/certgen.go +++ b/internal/crypto/certgen.go @@ -28,6 +28,9 @@ const ( // DefaultEnvoyDNSPrefix defines the default Envoy DNS prefix. DefaultEnvoyDNSPrefix = "*" + // DefaultCertificateLifetime holds the default certificate lifetime (in days). + DefaultCertificateLifetime = 365 * 5 + // keySize sets the RSA key size to 2048 bits. This is minimum recommended size // for RSA keys. keySize = 2048 @@ -94,7 +97,7 @@ func GenerateCerts(cfg *config.Server) (*Certificates, error) { switch certCfg.Provider.Type { case ProviderTypeEnvoyGateway: now := time.Now() - expiry := now.Add(24 * time.Duration(cfg.CertificateExpiryDays) * time.Hour) + expiry := now.Add(24 * time.Duration(DefaultCertificateLifetime) * time.Hour) caCertPEM, caKeyPEM, err := newCA(DefaultEnvoyGatewayDNSPrefix, expiry) if err != nil { return nil, err diff --git a/internal/envoygateway/config/config.go b/internal/envoygateway/config/config.go index 259f0d56368..4c9674a88b4 100644 --- a/internal/envoygateway/config/config.go +++ b/internal/envoygateway/config/config.go @@ -23,8 +23,6 @@ const ( EnvoyGatewayServiceName = "envoy-gateway" // EnvoyPrefix is the prefix applied to the Envoy ConfigMap, Service, Deployment, and ServiceAccount. EnvoyPrefix = "envoy" - // DefaultCertificateExpiryDays holds the default certificate lifetime (in days). - DefaultCertificateExpiryDays = 365 ) // Server wraps the EnvoyGateway configuration and additional parameters @@ -38,8 +36,6 @@ type Server struct { DNSDomain string // Logger is the logr implementation used by Envoy Gateway. Logger logging.Logger - // CertificateExpiryDays holds the certificate lifetime (in days). - CertificateExpiryDays int } // New returns a Server with default parameters. @@ -49,8 +45,7 @@ func New() (*Server, error) { Namespace: env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace), DNSDomain: env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain), // the default logger - Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo), - CertificateExpiryDays: env.Lookup("ENVOY_GATEWAY_CERTIFICATE_EXPIRY_DAYS", DefaultCertificateExpiryDays), + Logger: logging.DefaultLogger(v1alpha1.LogLevelInfo), }, nil } diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index f897adbc5ea..33a6a43dc5d 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -363,7 +363,7 @@ _Appears in:_ | `rateLimitDeployment` _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource. If unspecified, default settings for the managed Envoy ratelimit deployment resource are applied. | | `watch` _[KubernetesWatchMode](#kuberneteswatchmode)_ | Watch holds configuration of which input resources should be watched and reconciled. | | `deploy` _[KubernetesDeployMode](#kubernetesdeploymode)_ | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane should be deployed | -| `overwrite_control_plane_certs` _boolean_ | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. | +| `overwriteControlPlaneCerts` _boolean_ | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. | #### EnvoyGatewayLogComponent diff --git a/site/content/en/latest/install/api.md b/site/content/en/latest/install/api.md index 253d528bdfb..9e2d9e91dcc 100644 --- a/site/content/en/latest/install/api.md +++ b/site/content/en/latest/install/api.md @@ -32,7 +32,6 @@ The Helm chart for Envoy Gateway | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | | createNamespace | bool | `false` | | -| deployment.envoyGateway.cert.expiryDays | int | `365` | | | deployment.envoyGateway.image.repository | string | `"${ImageRepository}"` | | | deployment.envoyGateway.image.tag | string | `"${ImageTag}"` | | | deployment.envoyGateway.imagePullPolicy | string | `"Always"` | |