How to Renew Envoy Pod TLS Certificates

one year after a swimlane spi installation, the envoy pod self signed tls certificate created during the installation will expire a feature to auto renew these certs at thirty days prior to expiration is available on embedded spi (10 5 0 295+) running ekco 0 16 0+ to check the version of ekco, run kubectl get installers swimlane platform o jsonpath="{ spec ekco version}" && echo for older versions, manually create a new envoy pod tls certificate using the following instructions step 1 confirm the envoy pod tls certificate expiration date run this command to see the current envoy pod certificate expiration date for pod in $(kubectl get pods n projectcontour l app=envoy o=name) do echo $pod echo =============== echo ca crt kubectl exec $pod n projectcontour c envoy openssl x509 enddate noout in /certs/ca crt echo tls crt kubectl exec $pod n projectcontour c envoy openssl x509 enddate noout in /certs/tls crt done the output will look similar to pod/envoy 9rct8 \=============== ca crt notafter=dec 10 20 58 33 2021 gmt tls crt notafter=dec 10 20 58 33 2021 gmt step 2 renew the envoy pod tls certificate (these instructions need only be performed once, regardless of the number of cluster nodes ) \# delete the "envoycert" secret kubectl delete secret envoycert n projectcontour \# delete the job kubectl delete jobs n projectcontour contour certgen v1 7 0 \# download the attached "contour certgen v1 7 0 yaml" file and apply it to the cluster kubectl apply f contour certgen v1 7 0 yaml \# restart envoy kubectl rollout restart n projectcontour daemonset/envoy kubectl rollout restart n projectcontour deploy/contour step 3 check kubernetes certificates expiration dates and renew if necessary follow the steps outlined in how to renew certificates on kubernetes