Kourier does not appear to watch the CERTS_SECRET_NAME

[richardvflux]

Kourier does not, on a perusal of the code, watch the secret storing the common certificate. If that has been provisioned by certificate manager, then on rotation (usually 3 months) kourier will stop serving traffic.

[richardvflux]

If the core committers would come up with a recommendation on what to do about this, I might be able to convince my company to address it in a PR

[ReToCode]

The CERTS_SECRET_NAME thing is not something we really support within Knative itself, it was more an experimental thing in kourier itself. The current code reads the secret on startup, but also on changes of Knative Ingress objects. To make it automatically reload, ToEnvoySnapshot would need to be called when the Secret changes as well. Basically you add a new watcher on the secret-informer to trigger a reconciliation for all KnativeIngress objects when the secret changes.

An alternative to this is obviously to just kubectl rollout the kourier-controller deployment once the certificate updated.

[richardvflux]

OK, ta - I have been given permission to look at making these changes. We manage the Kourier rollout using the Operator so it would be preferable not to have to hand-hold it :-)

[richardvflux]

I thought before I started I would get the tests confirming it works. The tests are failing however.

[richardvflux]

So on discovery - it wasn't clear what Kourier actually did - but it seems in essence reconcile the Knative Ingress objects, and then reconfigure Envoy Proxy to match. Our desire is that the knative ingresses themselves would be originally populated with the correct shared secret in the shared namespace, and I believe that knative serving is responsible for those, so I will continue my investigation of that code base to ascertain how that fits together and then raise a ticket for advice.

[richardvflux]

no further work.