HELM Upgrade failed from 1.5.2 to 1.5.3 #7218
Description
Description:
The upgrade not working to 1.5.3 because certgen pre-upgrade job failed (and also the envoy-gateway pod when certgen job is skipped).
Repro steps:
Helm Upgrade / Argo sync from any previous version
default custom certificate provide by cert-manager
Environment:
Logs:
kubectl -n infra-envoy-gateway-system logs envoy-gateway-certgen-pcv9z -f
2025-10-13T09:07:07.021Z INFO cmd/certgen.go:76 generated certificates
Error: failed to output certificates: failed to create or update secrets: failed to get secret infra-envoy-gateway-system/envoy-gateway: failed to get server groups: Get "https://10.32.0.1:443/api": tls: failed to parse certificate from server: x509: SAN dNSName is malformed
Usage:
envoy-gateway certgen [flags]
Flags:
--disable-topology-injector Disables patching caBundle for injector MutatingWebhookConfiguration.
-h, --help help for certgen
-l, --local Generate all the certificates locally.
-o, --overwrite Updates the secrets containing the control plane certs.
failed to output certificates: failed to create or update secrets: failed to get secret infra-envoy-gateway-system/envoy-gateway: failed to get server groups: Get "https://10.32.0.1:443/api": tls: failed to parse certificate from server: x509: SAN dNSName is malformed
Previous version logs :
kubectl -n infra-envoy-gateway-system logs envoy-gateway-certgen-6qsw6 -f
2025-10-13T09:04:59.205Z INFO cmd/certgen.go:76 generated certificates
2025-10-13T09:04:59.281Z INFO cmd/certgen.go:107 [infra-envoy-gateway-system/envoy-gateway infra-envoy-gateway-system/envoy infra-envoy-gateway-system/envoy-rate-limit infra-envoy-gateway-system/envoy-oidc-hmac]: skipped creating secret since it already exists;Either update the secrets manually or set overwriteControlPlaneCerts in the EnvoyGateway config