Skip to content

bug: xDS server in GatewayNamespaceMode does not hot-reload its TLS cert after rotation #8995

Description

@nguyenptk

Description:

In GatewayNamespaceMode, the xDS gRPC server is initialized with credentials.NewServerTLSFromFile, which reads the certificate and private key from disk once at startup. After a cert rotation (e.g. via cert-manager), the server continues to present the original certificate. There is no mechanism to pick up the new cert without restarting the Envoy Gateway pod.

The default deployment mode does not have this issue: crypto.LoadTLSConfig returns a *tls.Config with GetConfigForClient set, which re-reads the cert from disk on every TLS handshake. The GatewayNamespaceMode branch was missing the equivalent behavior.

Repro steps:

  1. Deploy Envoy Gateway with GatewayNamespaceMode enabled.
  2. Configure the xDS server cert/key to be managed by cert-manager (or any rotator that overwrites the mounted Secret in place).
  3. Wait for a rotation to occur without restarting the EG pod.
  4. The EG pod continues to serve the pre-rotation certificate on new xDS connections, confirmed by inspecting the presented cert (e.g. openssl s_client).

Environment:

  • Envoy Gateway: main (and latest released minor).
  • Deployment mode: GatewayNamespaceMode.
  • Affected code: credentials.NewServerTLSFromFile call in internal/xds/runner/runner.go.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions