These k8s deployements, sandbox-eups, deploy-eups-redirect, ltd-keeper, were using gcr.io/cloud-solutions-images/nginx-ssl-proxy:master-9979ee3, which dates from 2015 and google has never updated (there are no other tags in the docker registry). I looked at updating the version of openssl in that image but decided against it as it was so old that the gpg keys for the nginx apt repo were no longer valid and the base image had since rebased onto a newer version of debian.
I eventually identified the Dockerfile used to build that image: https://github.com/GoogleCloudPlatform/nginx-ssl-proxy . The repo has been updated, despite no images being published, and the Dockerfile was able to build an image without the openssl issue without modification. This has been forked as https://github.com/lsst-sqre/nginx-ssl-proxy and a jenkins build created that will build + push an image as docker.io/lsstsqre/nginx-ssl-proxy:latest.
TLS cert expiration, missing hosts, and an ssllabs.com check were added to nagios (status.lsst.codes). Additionally, work was done to streamline the deployment of nagios configuration changes. This included setting up travis-ci syntax checking of nagios config changes. The nagios streamlining/CI was the majority of the effort on this ticket.