HELM Upgrade failed from 1.5.2 to 1.5.3 #7218
Description
Description:
The upgrade not working to 1.5.3 because certgen pre-upgrade job failed (and also the envoy-gateway pod when certgen job is skipped).
Repro steps:
Helm Upgrade / Argo sync from any previous version
default custom certificate provide by cert-manager
Environment:
Helm release 1.5.3 https://hub.docker.com/layers/envoyproxy/gateway-helm/1.5.3/images/sha256-f64dc1c3c9f03a8f866dd4b945d79b021371c8cb4a29ec30db34a0aad5650d54
Logs:
kubectl -n infra-envoy-gateway-system logs envoy-gateway-certgen-pcv9z -f
2025-10-13T09:07:07.021Z INFO cmd/certgen.go:76 generated certificates
Error: failed to output certificates: failed to create or update secrets: failed to get secret infra-envoy-gateway-system/envoy-gateway: failed to get server groups: Get "https://10.32.0.1:443/api": tls: failed to parse certificate from server: x509: SAN dNSName is malformed
Usage:
envoy-gateway certgen [flags]
Flags:
--disable-topology-injector Disables patching caBundle for injector MutatingWebhookConfiguration.
-h, --help help for certgen
-l, --local Generate all the certificates locally.
-o, --overwrite Updates the secrets containing the control plane certs.
failed to output certificates: failed to create or update secrets: failed to get secret infra-envoy-gateway-system/envoy-gateway: failed to get server groups: Get "https://10.32.0.1:443/api": tls: failed to parse certificate from server: x509: SAN dNSName is malformed
Previous version logs :
kubectl -n infra-envoy-gateway-system logs envoy-gateway-certgen-6qsw6 -f
2025-10-13T09:04:59.205Z INFO cmd/certgen.go:76 generated certificates
2025-10-13T09:04:59.281Z INFO cmd/certgen.go:107 [infra-envoy-gateway-system/envoy-gateway infra-envoy-gateway-system/envoy infra-envoy-gateway-system/envoy-rate-limit infra-envoy-gateway-system/envoy-oidc-hmac]: skipped creating secret since it already exists;Either update the secrets manually or set overwriteControlPlaneCerts in the EnvoyGateway config