missing the envoy-gateaway-config for certgen command

[qicz]

Description:

What issue is being seen? Describe what should be happening instead of
the bug, for example: Envoy should not crash, the expected value isn't
returned, etc.

Currently, the certgen job does not mount the envoy-gateway-config, so it can not read the extension config from envoy-gateway-config.

Repro steps:

Include sample requests, environment, etc. All data and inputs
required to reproduce the bug.

Note: If there are privacy concerns, sanitize the data prior to
sharing.

Environment:

Include the environment like gateway version, envoy version and so on.

Logs:

Include the access logs and the Envoy logs.

[qicz]

the certgen command just read the OverwriteControlPlaneCerts from envoy-gateway-config. so there are three options,

opt1: init with true for the OverwriteControlPlaneCerts

gateway/api/v1alpha1/envoygateway_helpers.go

Lines 168 to 176 in 67bf63c

	// DefaultEnvoyGatewayProvider returns a new EnvoyGatewayProvider with default configuration parameters.
	func DefaultEnvoyGatewayProvider() *EnvoyGatewayProvider {
	return &EnvoyGatewayProvider{
	Type: ProviderTypeKubernetes,
	Kubernetes: &EnvoyGatewayKubernetesProvider{
	LeaderElection: DefaultLeaderElection(),
	},
	}
	}

to

// DefaultEnvoyGatewayProvider returns a new EnvoyGatewayProvider with default configuration parameters.
func DefaultEnvoyGatewayProvider() *EnvoyGatewayProvider {
	return &EnvoyGatewayProvider{
		Type: ProviderTypeKubernetes,
		Kubernetes: &EnvoyGatewayKubernetesProvider{
			LeaderElection: DefaultLeaderElection(),
			OverwriteControlPlaneCerts: true,
		},
	}
}

opt2: support OverwriteControlPlaneCerts logic for certgen command directly

gateway/internal/cmd/certgen.go

Lines 80 to 90 in 67bf63c

	// outputCertsForKubernetes outputs the provided certs to a secret in namespace ns.
	func outputCertsForKubernetes(ctx context.Context, cli client.Client, cfg *config.Server, certs *crypto.Certificates) error {
	var updateSecrets bool
	if cfg.EnvoyGateway != nil &&
	cfg.EnvoyGateway.Provider != nil &&
	cfg.EnvoyGateway.Provider.Kubernetes != nil &&
	cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts != nil &&
	*cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts {
	updateSecrets = true
	}
	secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.Namespace, certs), updateSecrets)

the line 90, set the parameter with true directly.

 secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.Namespace, certs), true) 

opt3: mount the envoy-gateway-config like EG deployment to cergen job for reading the OverwriteControlPlaneCerts.

@arkodg @zirain any suggestion? I am +1 for opt2

[arkodg]

thanks for flagging this @qicz
I prefer opt 3, since the code today is reusing the same functions
will need to add something similar to

gateway/charts/gateway-helm/templates/envoy-gateway-deployment.yaml

Line 80 in 52f31b1

volumeMounts:

for certgen job template
cc @guydc as this relates to #4891

[guydc]

@arkodg with opt 3, we have an issue: the job is executed in a pre-install/update hook, so it would execute before the configmap is created/updated and would either fail or run with the previous versions's config. Since this functionality is anyway (?) specific to cert-gen, maybe we can just make it a flag for that command?

[arkodg]

good point, yeah flag works

[qicz]

for command flag +1

[zirain]

+1 for flag