Skip to content

Non-disruptive certificate rotation #4891

Description

@guydc

Description:
Currently, we have MTLS connections for:

  • Envoy Gateway <> Envoy
  • Envoy <> Rate Limit server

Envoy Gateway generates client and server certificates for all of the above components and typically provides them as mounted secrets to relevant pods. A job that runs in the helm pre-install and pre-upgrade hooks is responsible for rotation.

It is a common security practice to use short-lived certificates that are rotated frequently. In Envoy Gateway, CA certificates and leaf certificates are handled with the same level of security (storage, access, ... ), and should both be rotated.

To support frequent and non-disruptive rotation, the following is required:

  • All components are capable of dynamically reloading certificates when they change.
  • Certificates are rotated in a backwards-compatible manner. For example, a new trusted CA is added and the old CA is removed only after all components were able to load the latest CA/leaf certificate. This is especially relevant for data-plane components like Rate Limit where client-facing failures may occur if Envoy and Rate Limit are not both synchronized on the latests CA/leaf certificates.

Currently, these requirements are not met:

[optional Relevant Links:]

Any extra documentation required to understand the issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/infra-mgrIssues related to the provisioner used for provisioning the managed Envoy Proxy fleet.stale

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions