How to update ssl certificate for ingress https load balancer

10,428 views
Skip to first unread message

mder...@gmail.com

unread,
Feb 14, 2018, 12:06:19 PM2/14/18
to Kubernetes user discussion and Q&A
Hi,
I have to update my ssl certificate for my (ingress) https load balancer.
When I created the cluster I executed these commands:

> kubectl create secret tls mysecret --key mykey.key --cert mycert.crt
> kubectl apply -f ./ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
annotations:
ingress.kubernetes.io/rewrite-target: /
ingress.kubernetes.io/ssl-redirect: "false"
spec:
tls:
- secretName: mysecret
backend:
serviceName: nginx-nodeport-service
servicePort: 80

and everything worked properly.
But now I have to update my certificate.
I'm reading on GCE documentation that I could execute these commands:

gcloud compute ssl-certificates create <certificate_name> --certificate <path_file.crt> --private-key <path_file.key>


gcloud compute target-https-proxies list


gcloud compute target-https-proxies update <https_proxy> --ssl-certificates <certificate_name>


But this procedure sometimes works and sometimes not (when not the https certificate is the old one)

Any suggestions?

Ian Lewis

unread,
Feb 14, 2018, 7:18:55 PM2/14/18
to kubernet...@googlegroups.com
If you update the secret with the new cert, the GCP ingress controller should pick that up and update the certificate on GCP. I use this to automate certificate renewal using cert-manager.

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

mder...@gmail.com

unread,
Feb 15, 2018, 9:10:15 AM2/15/18
to Kubernetes user discussion and Q&A
Hi,
thanks for your suggestion.
I can confirm that this procedure is working:

1) create another secret with the new ssl certificate:
> kubectl create secret tls mynewsecret --key mynewkey.key --cert mynewcert.crt


2) edit ingress.yaml file in order to change the secretName:

apiVersion: extensions/v1beta1
kind: Ingress
...
spec:
tls:
- secretName: mynewsecret
...


3) Apply the ingress.yaml:
> kubectl apply -f ./ingress.yaml

Automatically Kubernetes will update the https load balancer on GCE with the new certificate



PS: just a clarification to make this post more useful
When you're going to use the .crt file, it must be composed like:

-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----


where the first part is your public certificate, the second is the intermediate


Bye
Reply all
Reply to author
Forward
0 new messages