Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

site: Add docs on how to rotate gRPC certs #2282

Merged
merged 2 commits into from
Feb 25, 2020
Merged

site: Add docs on how to rotate gRPC certs #2282

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c9bf008
Add docs on how to rotate gRPC certs for communication between Contou…
stevesloka Feb 24, 2020
4ccdafe
Merge branch 'master' into rotateCertsDocs
stevesloka Feb 25, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions site/docs/master/grpc-tls-howto.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,28 @@ $ kubectl create secret -n projectcontour tls envoycert \

Note that we don't put the CA **key** into the cluster, there's no reason for that to be there, and that would create a security problem. That also means that the `cacert` secret can't be a `tls` type secret, as they must be a keypair.

## Rotating Certificates

Eventually the certificates that Contour & Envoy use will need to be rotated.
The following steps can be taken to change the certificates that Contour / Envoy are using with new ones.
The high-level

1. Delete the secret that holds the gRPC TLS keypair
2. Generate new secrets
3. Contour will automatically rotate its certificate
4. Restart all Envoy pods

### Rotate using the contour-cergen job

If using the built-in Contour certificate generation the following steps can be taken:

1. Delete the secret that holds the gRPC TLS keypair
- `kubectl delete secret cacert contourcert envoycert -n projectcontour`
2. Delete the contour-certgen job
- `kubectl delete job contour-certgen -n projectcontour`
3. Reapply the contour-certgen job from [certgen.yaml][1]
4. Restart all Envoy pods

# Conclusion

Once this process is done, the certificates will be present as Secrets in the `projectcontour` namespace, as required by
Expand Down
22 changes: 22 additions & 0 deletions site/docs/v1.2.0/grpc-tls-howto.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,28 @@ $ kubectl create secret -n projectcontour tls envoycert \

Note that we don't put the CA **key** into the cluster, there's no reason for that to be there, and that would create a security problem. That also means that the `cacert` secret can't be a `tls` type secret, as they must be a keypair.

## Rotating Certificates

Eventually the certificates that Contour & Envoy use will need to be rotated.
The following steps can be taken to change the certificates that Contour / Envoy are using with new ones.
The high-level

1. Delete the secret that holds the gRPC TLS keypair
2. Generate new secrets
3. Contour will automatically rotate its certificate
4. Restart all Envoy pods

### Rotate using the contour-cergen job

If using the built-in Contour certificate generation the following steps can be taken:

1. Delete the secret that holds the gRPC TLS keypair
- `kubectl delete secret cacert contourcert envoycert -n projectcontour`
2. Delete the contour-certgen job
- `kubectl delete job contour-certgen -n projectcontour`
3. Reapply the contour-certgen job from [certgen.yaml][1]
4. Restart all Envoy pods

# Conclusion

Once this process is done, the certificates will be present as Secrets in the `projectcontour` namespace, as required by
Expand Down