Add support to use external sds server and load grpc cert from cert s…

…erver.

Squashed commit of the following:

commit da2f09a
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Thu Nov 4 12:58:50 2021 +0800

    update cert provider client

commit 9c7085f
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Wed Nov 3 16:44:44 2021 +0800

    update

commit 61aaea5
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Tue Nov 2 12:40:26 2021 +0800

    Use mariner as base image

commit 4db3590
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Tue Nov 2 12:01:24 2021 +0800

    Skip vertify bootstrap options when loading cert from sds server

commit 83aba4c
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Tue Nov 2 11:32:54 2021 +0800

    Rename flags

commit eb81432
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Mon Nov 1 17:30:50 2021 +0800

    Add cert options to cli to get certs from cert server

commit c5cea20
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Fri Oct 29 18:21:45 2021 +0800

    avoid calling certificate loader repeatly

commit e95e61c
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Fri Oct 29 16:52:09 2021 +0800

    Add more logs

commit db5263d
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Fri Oct 29 15:37:52 2021 +0800

    Fix tls connection error with envoy

commit 18152d2
Author: Chloe Wang <qiwang@microsoft.com>
Date:   Fri Oct 29 10:11:52 2021 +0800

    move log.printf into retry loop

commit 3996b4d
Author: Chloe Wang <qiwang@microsoft.com>
Date:   Thu Oct 28 22:12:26 2021 +0800

    retry mechanism to connect contour certificate loader

commit 3deac77
Author: Chloe Wang <qiwang@microsoft.com>
Date:   Mon Oct 25 11:55:57 2021 +0800

    fix bug

commit 7ad7be8
Author: Chloe Wang <qiwang@microsoft.com>
Date:   Mon Oct 25 11:21:39 2021 +0800

    add retry mechanism to load cert from certificate loader

commit 2caf5eb
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Thu Oct 21 12:35:38 2021 +0800

    Fix bugs

commit 25b59c3
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Wed Oct 20 19:06:38 2021 +0800

    Fix crash

commit 1703f8f
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Wed Oct 20 18:52:11 2021 +0800

    update

commit 1444e94
Merge: 73b7dbf 7168c61
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Wed Oct 20 18:26:29 2021 +0800

    Merge branch 'users/chloewang/loadcertfromserver' into users/zhenhli/certificate-issuer

commit 7168c61
Merge: 4441c5d cabf4bc
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Wed Oct 20 18:25:15 2021 +0800

    Merge branch 'users/chloewang/loadcertfromserver' of ssh.dev.azure.com:v3/skype/ES/dev_azure_contour into users/chloewang/loadcertfromserver

commit 4441c5d
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Wed Oct 20 18:24:10 2021 +0800

    Load envoy cert from sds server

commit 73b7dbf
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Wed Oct 20 14:35:30 2021 +0800

    Fix typo

commit cabf4bc
Author: Chloe Wang <qiwang@microsoft.com>
Date:   Wed Oct 20 14:30:40 2021 +0800

    fix flag name

commit 20f6bdd
Author: Chloe Wang <qiwang@microsoft.com>
Date:   Tue Oct 19 15:44:03 2021 +0800

    add command load-cert-from-file to allow to load cerlocally or remotely

commit ee37eea
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Mon Oct 18 13:22:15 2021 +0800

    Update document

commit 638a47a
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Thu Oct 14 11:00:37 2021 +0800

    Update

commit 54eb3f3
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Tue Oct 12 17:18:49 2021 +0800

    Update

commit 99756f9
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Tue Oct 12 17:06:38 2021 +0800

    Fix crashes

commit 00f5c65
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Mon Oct 11 17:13:49 2021 +0800

    Fix crash

commit 5ee68ad
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Mon Oct 11 16:54:30 2021 +0800

    update

commit caf0115
Author: Zhenhuan <zhenhli@microsoft.com>
Date:   Mon Oct 11 16:37:37 2021 +0800

    Support external sds server

commit 6a583fc
Author: zhengyangdu@microsoft.com <zhengyangdu@microsoft.com>
Date:   Mon Oct 11 11:06:43 2021 +0800

    support SDS server

commit f362f4d
Author: Sunjay Bhatia <sunjayb@vmware.com>
Date:   Thu Aug 26 14:44:01 2021 +0000

    Update Contour Docker image to v1.18.1.

    Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

commit 8a36305
Author: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com>
Date:   Wed Aug 25 15:16:23 2021 -0400

    Cherrypick projectcontour#3934 (projectcontour#3982)

    Move to Envoy Admin over unix socket to mitigate security issues
    with external name services.

    Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

    Co-authored-by: Steve Sloka <slokas@vmware.com>

commit 755c317
Author: Steve Kriss <krisss@vmware.com>
Date:   Wed Aug 25 07:03:05 2021 -0600

    update Envoy to v1.19.1 (projectcontour#3966)

    Signed-off-by: Steve Kriss <krisss@vmware.com>

commit 889ec61
Author: Sunjay Bhatia <sunjayb@vmware.com>
Date:   Wed Jul 28 11:51:29 2021 -0400

    Update Contour Docker image to v1.18.0.

    Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

Dockerfile

@@ -35,5 +35,5 @@ RUN make build \
 # Ensure we produced a static binary.
 RUN ldd contour 2>&1 | grep 'not a dynamic executable'
 
-FROM scratch AS final
+FROM cblmariner.azurecr.io/base/core:1.0.20210127@sha256:08958790938a919e2a8fd1e4dfc3baf13f3b468d66b7fe3ec4b62686312aee6a AS final
 COPY --from=build /contour/contour /bin/contour

apis/projectcontour/v1/httpproxy.go

@@ -228,11 +228,15 @@ type VirtualHost struct {
 // TLS describes tls properties. The SNI names that will be matched on
 // are described in the HTTPProxy's Spec.VirtualHost.Fqdn field.
 type TLS struct {
-	// SecretName is the name of a TLS secret in the current namespace.
+	// SecretName is the name of a TLS secret.
+	// If SDS is not enabled, the secret must be in the current namespace.
+	// If SDS is enabled, the secret will be fetched from SDS server.
 	// Either SecretName or Passthrough must be specified, but not both.
 	// If specified, the named secret must contain a matching certificate
 	// for the virtual host's FQDN.
 	SecretName string `json:"secretName,omitempty"`
+	// Whether to fetch secret from SDS server or kubernetes secret resource
+	EnableSDS bool `json:"enableSDS,omitempty"`
 	// MinimumProtocolVersion is the minimum TLS version this vhost should
 	// negotiate. Valid options are `1.2` (default) and `1.3`. Any other value
 	// defaults to TLS 1.2.

apis/projectcontour/v1alpha1/contourconfig.go

@@ -134,6 +134,18 @@ type TLS struct {
 
 	// Allow serving the xDS gRPC API without TLS.
 	Insecure bool `json:"insecure"`
+
+	// Load contour certificate from certificate server.
+	// +optional
+	LoadContourCertFromCertServer bool `json:"loadContourCertFromCertServer,omitempty"`
+
+	// Address of the certificate server.
+	// +optional
+	CertServerAddr string `json:"certServerAddr,omitempty"`
+
+	// Port of the certificate server.
+	// +optional
+	CertServerPort int `json:"certServerPort,omitempty"`
 }
 
 // IngressConfig defines ingress specific config items.

cmd/contour/bootstrap.go

@@ -30,11 +30,15 @@ func registerBootstrap(app *kingpin.Application) (*kingpin.CmdClause, *envoy.Boo
 	bootstrap.Flag("admin-port", "DEPRECATED: Envoy admin interface port.").IntVar(&config.AdminPort)
 	bootstrap.Flag("xds-address", "xDS gRPC API address.").StringVar(&config.XDSAddress)
 	bootstrap.Flag("xds-port", "xDS gRPC API port.").IntVar(&config.XDSGRPCPort)
+	bootstrap.Flag("sds-address", "sDS gRPC API address.").StringVar(&config.SDSAddress)
+	bootstrap.Flag("sds-port", "sDS gRPC API port.").IntVar(&config.SDSGRPCPort)
 	bootstrap.Flag("envoy-cafile", "CA Filename for Envoy secure xDS gRPC communication.").Envar("ENVOY_CAFILE").StringVar(&config.GrpcCABundle)
 	bootstrap.Flag("envoy-cert-file", "Client certificate filename for Envoy secure xDS gRPC communication.").Envar("ENVOY_CERT_FILE").StringVar(&config.GrpcClientCert)
 	bootstrap.Flag("envoy-key-file", "Client key filename for Envoy secure xDS gRPC communication.").Envar("ENVOY_KEY_FILE").StringVar(&config.GrpcClientKey)
 	bootstrap.Flag("namespace", "The namespace the Envoy container will run in.").Envar("CONTOUR_NAMESPACE").Default("projectcontour").StringVar(&config.Namespace)
 	bootstrap.Flag("xds-resource-version", "The versions of the xDS resources to request from Contour.").Default("v3").StringVar((*string)(&config.XDSResourceVersion))
+	bootstrap.Flag("sds-resource-version", "The versions of the sDS resources to request from Contour.").Default("v3").StringVar((*string)(&config.SDSResourceVersion))
 	bootstrap.Flag("dns-lookup-family", "Defines what DNS Resolution Policy to use for Envoy -> Contour cluster name lookup. Either v4, v6 or auto.").StringVar(&config.DNSLookupFamily)
+	bootstrap.Flag("grpc-cert-from-sds", "Whether to get Grpc client cert from SDS server.").BoolVar(&config.GrpcCertFromSDS)
 	return bootstrap, &config
 }

cmd/contour/cli.go

@@ -17,6 +17,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/pem"
 	"io/ioutil"
 	"os"
 
@@ -26,23 +27,29 @@ import (
 	envoy_service_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/service/listener/v3"
 	envoy_service_route_v3 "github.com/envoyproxy/go-control-plane/envoy/service/route/v3"
 	"github.com/golang/protobuf/proto"
+	"github.com/projectcontour/contour/internal/contour"
+	"github.com/prometheus/common/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	kingpin "gopkg.in/alecthomas/kingpin.v2"
 )
 
 // Client holds the details for the cli client to connect to.
 type Client struct {
-	ContourAddr string
-	CAFile      string
-	ClientCert  string
-	ClientKey   string
+	ContourAddr                   string
+	CAFile                        string
+	ClientCert                    string
+	ClientKey                     string
+	LoadContourCertFromCertServer bool
+	CertServerAddr                string
+	CertServerPort                int
 }
 
 func (c *Client) dial() *grpc.ClientConn {
 	var options []grpc.DialOption
 
 	// Check the TLS setup
+	certPool := x509.NewCertPool()
 	switch {
 	case c.CAFile != "" || c.ClientCert != "" || c.ClientKey != "":
 		// If one of the three TLS commands is not empty, they all must be not empty
@@ -53,7 +60,6 @@ func (c *Client) dial() *grpc.ClientConn {
 		certificate, err := tls.LoadX509KeyPair(c.ClientCert, c.ClientKey)
 		kingpin.FatalIfError(err, "failed to load certificates from disk")
 		// Create a certificate pool from the certificate authority
-		certPool := x509.NewCertPool()
 		ca, err := ioutil.ReadFile(c.CAFile)
 		kingpin.FatalIfError(err, "failed to read CA cert")
 
@@ -74,6 +80,51 @@ func (c *Client) dial() *grpc.ClientConn {
 			MinVersion:   tls.VersionTLS12,
 		})
 		options = append(options, grpc.WithTransportCredentials(creds))
+	case c.LoadContourCertFromCertServer:
+		certBytes, err := contour.GetPemDataFromCertServer(c.CertServerAddr, c.CertServerPort, "cert")
+		if err != nil {
+			log.Error(err)
+			kingpin.Fatalf("Failed to get client cert.")
+		}
+		certBlock, _ := pem.Decode(certBytes)
+		if certBlock == nil {
+			kingpin.Fatalf("failed to parse PEM block containing the certificate")
+		}
+		keyBytes, err := contour.GetPemDataFromCertServer(c.CertServerAddr, c.CertServerPort, "key")
+		if err != nil {
+			log.Error(err)
+			kingpin.Fatalf("Failed to get client key")
+		}
+		keyBlock, _ := pem.Decode(keyBytes)
+		if keyBlock == nil {
+			kingpin.Fatalf("failed to parse PEM block containing the key")
+		}
+		cert, err := tls.X509KeyPair(certBytes, keyBytes)
+		if err != nil {
+			log.Error(err)
+			os.Exit(1)
+		}
+		log.Debug("Successfully get client cert and key")
+		ca, err := contour.GetPemDataFromCertServer(c.CertServerAddr, c.CertServerPort, "cacert")
+		if err != nil {
+			log.Error(err)
+			kingpin.Fatalf("Failed to get cacert")
+		}
+		log.Debug("Successfully get cacert")
+		if ok := certPool.AppendCertsFromPEM(ca); !ok {
+			kingpin.Fatalf("failed to append CA certs")
+		}
+		creds := credentials.NewTLS(&tls.Config{
+			// TODO(youngnick): Does this need to be defaulted with a cli flag to
+			// override?
+			// The ServerName here needs to be one of the SANs available in
+			// the serving cert used by contour serve.
+			ServerName:   "contour",
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      certPool,
+			MinVersion:   tls.VersionTLS12,
+		})
+		options = append(options, grpc.WithTransportCredentials(creds))
 	default:
 		options = append(options, grpc.WithInsecure())
 	}

cmd/contour/contour.go

@@ -48,6 +48,9 @@ func main() {
 	cli.Flag("cafile", "CA bundle file for connecting to a TLS-secured Contour.").Envar("CLI_CAFILE").StringVar(&client.CAFile)
 	cli.Flag("cert-file", "Client certificate file for connecting to a TLS-secured Contour.").Envar("CLI_CERT_FILE").StringVar(&client.ClientCert)
 	cli.Flag("key-file", "Client key file for connecting to a TLS-secured Contour.").Envar("CLI_KEY_FILE").StringVar(&client.ClientKey)
+	cli.Flag("load-contour-cert-from-cert-server", "Load Contour certificates from another server").BoolVar(&client.LoadContourCertFromCertServer)
+	cli.Flag("cert-server-address", "Address of the certificate server.").StringVar(&client.CertServerAddr)
+	cli.Flag("cert-server-port", "Port of the certificate server.").IntVar(&client.CertServerPort)
 
 	var resources []string
 	cds := cli.Command("cds", "Watch services.")

cmd/contour/serve.go

@@ -140,6 +140,9 @@ func registerServe(app *kingpin.Application) (*kingpin.CmdClause, *serveContext)
 	serve.Flag("contour-cafile", "CA bundle file name for serving gRPC with TLS.").Envar("CONTOUR_CAFILE").StringVar(&ctx.caFile)
 	serve.Flag("contour-cert-file", "Contour certificate file name for serving gRPC over TLS.").PlaceHolder("/path/to/file").Envar("CONTOUR_CERT_FILE").StringVar(&ctx.contourCert)
 	serve.Flag("contour-key-file", "Contour key file name for serving gRPC over TLS.").PlaceHolder("/path/to/file").Envar("CONTOUR_KEY_FILE").StringVar(&ctx.contourKey)
+	serve.Flag("load-contour-cert-from-cert-server", "Load Contour certificates from another server").BoolVar(&ctx.LoadContourCertFromCertServer)
+	serve.Flag("cert-server-address", "Address of the certificate server.").StringVar(&ctx.CertServerAddr)
+	serve.Flag("cert-server-port", "Port of the certificate server.").IntVar(&ctx.CertServerPort)
 	serve.Flag("insecure", "Allow serving without TLS secured gRPC.").BoolVar(&ctx.PermitInsecureGRPC)
 	serve.Flag("root-namespaces", "Restrict contour to searching these namespaces for root ingress routes.").PlaceHolder("<ns,ns>").StringVar(&ctx.rootNamespaces)
 

cmd/contour/servecontext.go

@@ -17,12 +17,14 @@ import (
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"strings"
 	"time"
 
+	"github.com/projectcontour/contour/internal/contour"
 	"github.com/projectcontour/contour/internal/k8s"
 	"k8s.io/utils/pointer"
 
@@ -87,6 +89,13 @@ type serveContext struct {
 
 	// DisableLeaderElection can only be set by command line flag.
 	DisableLeaderElection bool
+
+	// LoadContourCertFromCertServer allows to fetch Contour and Envoy certificates via http connection
+	LoadContourCertFromCertServer bool
+
+	// contour certificate server http parameters
+	CertServerAddr string
+	CertServerPort int
 }
 
 type ServerConfig struct {
@@ -100,23 +109,26 @@ type ServerConfig struct {
 func newServeContext() *serveContext {
 	// Set defaults for parameters which are then overridden via flags, ENV, or ConfigFile
 	return &serveContext{
-		Config:                config.Defaults(),
-		statsAddr:             "0.0.0.0",
-		statsPort:             8002,
-		debugAddr:             "127.0.0.1",
-		debugPort:             6060,
-		healthAddr:            "0.0.0.0",
-		healthPort:            8000,
-		metricsAddr:           "0.0.0.0",
-		metricsPort:           8000,
-		httpAccessLog:         xdscache_v3.DEFAULT_HTTP_ACCESS_LOG,
-		httpsAccessLog:        xdscache_v3.DEFAULT_HTTPS_ACCESS_LOG,
-		httpAddr:              "0.0.0.0",
-		httpsAddr:             "0.0.0.0",
-		httpPort:              8080,
-		httpsPort:             8443,
-		PermitInsecureGRPC:    false,
-		DisableLeaderElection: false,
+		Config:                        config.Defaults(),
+		statsAddr:                     "0.0.0.0",
+		statsPort:                     8002,
+		debugAddr:                     "127.0.0.1",
+		debugPort:                     6060,
+		healthAddr:                    "0.0.0.0",
+		healthPort:                    8000,
+		metricsAddr:                   "0.0.0.0",
+		metricsPort:                   8000,
+		httpAccessLog:                 xdscache_v3.DEFAULT_HTTP_ACCESS_LOG,
+		httpsAccessLog:                xdscache_v3.DEFAULT_HTTPS_ACCESS_LOG,
+		httpAddr:                      "0.0.0.0",
+		httpsAddr:                     "0.0.0.0",
+		httpPort:                      8080,
+		httpsPort:                     8443,
+		PermitInsecureGRPC:            false,
+		DisableLeaderElection:         false,
+		LoadContourCertFromCertServer: false,
+		CertServerAddr:                "127.0.0.1",
+		CertServerPort:                8090,
 		ServerConfig: ServerConfig{
 			xdsAddr:     "127.0.0.1",
 			xdsPort:     8001,
@@ -173,19 +185,56 @@ func tlsconfig(log logrus.FieldLogger, contourXDSTLS *contour_api_v1alpha1.TLS)
 		if contourXDSTLS == nil {
 			return nil, nil
 		}
-		cert, err := tls.LoadX509KeyPair(contourXDSTLS.CertFile, contourXDSTLS.KeyFile)
-		if err != nil {
-			return nil, err
-		}
-
-		ca, err := ioutil.ReadFile(contourXDSTLS.CAFile)
-		if err != nil {
-			return nil, err
-		}
-
+		var cert tls.Certificate
 		certPool := x509.NewCertPool()
-		if ok := certPool.AppendCertsFromPEM(ca); !ok {
-			return nil, fmt.Errorf("unable to append certificate in %s to CA pool", contourXDSTLS.CAFile)
+		if !contourXDSTLS.LoadContourCertFromCertServer {
+			cert, err = tls.LoadX509KeyPair(contourXDSTLS.CertFile, contourXDSTLS.KeyFile)
+			if err != nil {
+				return nil, err
+			}
+
+			ca, err := ioutil.ReadFile(contourXDSTLS.CAFile)
+			if err != nil {
+				return nil, err
+			}
+			if ok := certPool.AppendCertsFromPEM(ca); !ok {
+				return nil, fmt.Errorf("unable to append certificate in %s to CA pool", contourXDSTLS.CAFile)
+			}
+		} else {
+			certBytes, err := contour.GetPemDataFromCertServer(contourXDSTLS.CertServerAddr, contourXDSTLS.CertServerPort, "cert")
+			if err != nil {
+				log.Fatalf("Failed to get cert")
+				return nil, err
+			}
+			certBlock, _ := pem.Decode(certBytes)
+			if certBlock == nil {
+				log.Fatalf("failed to parse PEM block containing the certificate")
+				return nil, nil
+			}
+			keyBytes, err := contour.GetPemDataFromCertServer(contourXDSTLS.CertServerAddr, contourXDSTLS.CertServerPort, "key")
+			if err != nil {
+				log.Fatalf("Failed to get key")
+				return nil, err
+			}
+			keyBlock, _ := pem.Decode(keyBytes)
+			if keyBlock == nil {
+				log.Fatalf("failed to parse PEM block containing the key")
+				return nil, nil
+			}
+			cert, err = tls.X509KeyPair(certBytes, keyBytes)
+			if err != nil {
+				return nil, err
+			}
+			log.Debug("Successfully get cert and key")
+			ca, err := contour.GetPemDataFromCertServer(contourXDSTLS.CertServerAddr, contourXDSTLS.CertServerPort, "cacert")
+			if err != nil {
+				log.Fatalf("Failed to get cacert")
+				return nil, err
+			}
+			fmt.Printf("Successfully get cacert")
+			if ok := certPool.AppendCertsFromPEM(ca); !ok {
+				return nil, fmt.Errorf("failed to append CA certs")
+			}
 		}
 
 		return &tls.Config{
@@ -196,8 +245,10 @@ func tlsconfig(log logrus.FieldLogger, contourXDSTLS *contour_api_v1alpha1.TLS)
 		}, nil
 	}
 
+	var config *tls.Config
+	var lerr error
 	// Attempt to load certificates and key to catch configuration errors early.
-	if _, lerr := loadConfig(); lerr != nil {
+	if config, lerr = loadConfig(); lerr != nil {
 		log.WithError(lerr).Fatal("failed to load certificate and key")
 	}
 
@@ -206,13 +257,21 @@ func tlsconfig(log logrus.FieldLogger, contourXDSTLS *contour_api_v1alpha1.TLS)
 		ClientAuth: tls.RequireAndVerifyClientCert,
 		Rand:       rand.Reader,
 		GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) {
-			return loadConfig()
+			return config, nil
 		},
 	}
 }
 
 // verifyTLSFlags indicates if the TLS flags are set up correctly.
 func verifyTLSFlags(contourXDSTLS *contour_api_v1alpha1.TLS) error {
+	if contourXDSTLS.LoadContourCertFromCertServer {
+		if contourXDSTLS.CAFile != "" || contourXDSTLS.CertFile != "" || contourXDSTLS.KeyFile != "" {
+			return errors.New("no TLS parameters should be supplied when load cert from sidecar")
+		}
+
+		return nil
+	}
+
 	if contourXDSTLS.CAFile == "" && contourXDSTLS.CertFile == "" && contourXDSTLS.KeyFile == "" {
 		return errors.New("no TLS parameters and --insecure not supplied. You must supply one or the other")
 	}
@@ -479,10 +538,13 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
 		Address: ctx.xdsAddr,
 		Port:    ctx.xdsPort,
 		TLS: &contour_api_v1alpha1.TLS{
-			CAFile:   ctx.caFile,
-			CertFile: ctx.contourCert,
-			KeyFile:  ctx.contourKey,
-			Insecure: ctx.PermitInsecureGRPC,
+			CAFile:                        ctx.caFile,
+			CertFile:                      ctx.contourCert,
+			KeyFile:                       ctx.contourKey,
+			Insecure:                      ctx.PermitInsecureGRPC,
+			LoadContourCertFromCertServer: ctx.LoadContourCertFromCertServer,
+			CertServerAddr:                ctx.CertServerAddr,
+			CertServerPort:                ctx.CertServerPort,
 		},
 	}