How to restart a GCP Ingress Item To Use Updated Secret

Question

I've updated the SSL certificate for my Kubernetes Ingress services, but I don't know how to restart the instances to use the updated cert secret without manually deleting and restarting the Ingress instances. That isn't ideal because of the number of ingresses that are making use of that specific cert (all sitting on the same TLD). How do I force it to use the updated secret?

Answer 1

You shouldn't need to delete the Ingress object to use the updated TLS Secret.

GKE Ingress controller (https://github.com/kubernetes/ingress-gce) automatically picks up the updated Secret resource and updates it. (Open an issue on the repo if it doesn't).

Example:

$ kubectl describe ingress foobar
Name:             foobar
Labels:           <none>
Namespace:        default
Address:          123.234.123.234
Ingress Class:    <none>
Default backend:  <default>
TLS:
  my-secret terminates
(...)
Events:
  Type    Reason  Age                   From                     Message
  ----    ------  ----                  ----                     -------
  Normal  Sync    6m29s                 loadbalancer-controller  TargetProxy "<redacted>" certs updated
  Normal  Sync    6m25s (x78 over 12h)  loadbalancer-controller  Scheduled for sync

- here the certificate from a secret 'my-secret' has been successfully reloaded 6m29s ago.

If you're not seeing the changes in ~10-20 minutes, I recommend editing the Ingress object trivially (for example, add a label or an annotation) so that the ingress controller picks up the object again and evaluates goal state vs the current state, then goes ahead to make the changes (update the TLS secret).

Answer 2

Turns out the reason why it wasn't updating was that the certs weren't chained properly; I uploaded the ca-bundle without the actual end cert, and I guess Google refuses to update the LB certs if they're not a valid chain. Which is weird, but, okay, sure.