github.com/projectcontour/contour@v1.28.2/site/content/posts/2020-03-03-hot-reload-certificates-safely-rollout-envoy-contour-1.2.md (about) 1 --- 2 title: Hot-Reload Certificates and Safely Rollout Envoy with Contour 1.2 3 excerpt: Contour 1.2 includes support for certificate rotation for xDS gRPC interface between Contour and Envoy. Additionally, Contour 1.2 assists in Envoy rollouts in your cluster to minimize the number of connection errors. 4 author_name: Steve Sloka 5 author_avatar: /img/contributors/steve-sloka.png 6 categories: [kubernetes] 7 # Tag should match author to drive author pages 8 tags: ['Contour Team', 'Steve Sloka', 'release'] 9 date: 2020-03-03 10 slug: hot-reload-certificates-safely-rollout-envoy-contour-1.2 11 --- 12 13 Contour continues to add new features to help you better manage Contour operations in a cluster. Our latest feature release, Contour 1.2.0, now includes support for certificate rotation for xDS gRPC interface between Contour and Envoy as well as a new subcommand which assists in Envoy rollouts to minimize the number of connection errors. Additionally, Contour v1.2.1 is a security release which upgrades the version of Envoy to v1.13.1 which includes many [CVE fixes](https://groups.google.com/forum/#!msg/envoy-announce/sVqmxy0un2s/8aq430xiHAAJ). 14 15 ## Hot-Reload Certificates 16 17 A few releases ago, Contour enabled secure communication between Contour and Envoy. This new feature ensured that any communication between Contour and Envoy over its gRPC connection would be secure, mainly securing the communication using TLS certificate keys. 18 19 This was just the first step, however, and we understood that it wouldn’t solve all of our users’ problems. Thanks to [@tsaarni](https://github.com/tsaarni), we now have support for Contour to rotate its certificates without the need to restart the Contour process. 20 21 Future work includes enabling this same functionality for Envoy. This currently has some [open issues that need to be solved in Envoy first](https://github.com/envoyproxy/envoy/issues/9359). 22 23 Big thanks to Tero on all your effort to send these PRs as well as driving the issues upstream! 24 25 ## Envoy Shutdown Manager 26 27 The Envoy process, the data path component of Contour, at times needs to be re-deployed. This could be due to an upgrade, a change in configuration, or a node-failure forcing a redeployment. 28 29 As with any application rollout strategy, we want a way to implement the rollout while minimizing the effect on users. If the Envoy pods are terminated while there are still open connections, then users will receive errors. 30 31 Contour implements a new envoy sub-command which has a shutdown-manager whose job is to manage a single Envoy instance's lifecycle for Kubernetes. The shutdown-manager runs as a new container alongside the Envoy container in the same pod. It exposes two HTTP endpoints that are used for livenessProbe as well as to handle the Kubernetes preStop event hook. 32 33 * livenessProbe: This is used to validate the shutdown manager is still running properly. If requests to /healthz fail, the container will be restarted 34 * preStop: This is used to keep the container running while waiting for Envoy to drain connections. The /shutdown endpoint blocks until the connections are drained 35 36 The Envoy container also has some configuration to implement the shutdown manager. First the preStop hook is configured to use the /shutdown endpoint which blocks the container from exiting. Finally, the pod’s `terminationGracePeriodSeconds` is customized to extend the time in which Kubernetes will allow the pod to be in the Terminating state. The termination grace period defines an upper bound for long-lived sessions. If during shutdown, the connections aren’t drained to the configured amount, the terminationGracePeriodSeconds will send a SIGTERM to the pod killing it. 37 38 {: .center-image } 39 40 {% youtube oO52CV-EAkw %}{: .center-image } 41 42 For more information on this feature, [check out the docs](https://projectcontour.io/docs/v1.2.0/redeploy-envoy/) 43 44 ## Thank you! 45 46 We’re immensely grateful for all the community contributions that help make Contour even better! For version 1.2, special thanks go out to the following people: 47 48 [@awprice](https://github.com/awprice) 49 [@alex1989hu](https://github.com/alex1989hu) 50 [@bgagnon](https://github.com/bgagnon) 51 [@danehans](https://github.com/danehans) 52 [@dhxgit](https://github.com/dhxgit) 53 [@SDBrett](https://github.com/SDBrett) 54 [@uablrek](https://github.com/uablrek) 55 [@rohandvora](https://github.com/rohandvora) 56 [@tsaarni](https://github.com/tsaarni) 57 [@shyaamsn](https://github.com/shyaamsn) 58 [@idealhack](https://github.com/idealhack) 59 [@dbason](https://github.com/dbason) 60 61 ## Future Plans 62 63 The Contour team would love to hear your feedback! Many of the features in this release were driven by users who needed a better way to solve their problems. We’re working hard to add features to Contour, especially in expanding how we approach routing. 64 65 We recommend reading the full release notes for [Contour 1.2](https://github.com/projectcontour/contour/releases/tag/v1.2.0) as well as digging into the [upgrade guide](https://projectcontour.io/resources/upgrading/), which outlines the changes to be aware of when moving to version 1.2. 66 67 If you are interested in contributing, a great place to start is to comment on one of the issues labeled with [Help Wanted](https://github.com/projectcontour/contour/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22) and work with the team on how to resolve them.