1

I need to update my TLS/SSL certificates for ingress service on Google Kubernetes Engine as it is getting expired. I have new certificate and key and i updated the exisiting TLS secrets using below command

kubectl create secret tls test-tls --namespace=test --save-config --dry-run --cert=/Users/test.crt --key=/Users/test.key -o yaml | kubectl apply -f -

But it didn't take the new certificates when I check it on browser, then I tried to do helm upgrade and delete/recreate the nginx pod but still it doesn't update the certificates.

I am not sure what is the problem, in the ideal situation shouldn't it update after few minutes of updating the secrets? I even tried to create a new secret rather than updating the same and redeploy the services but it still didn't work.

I also checked my certs and it looks fine, so no issues with certificates.

I would really appreciate if someone could tell me what am I missing here?

tank
  • 465
  • 8
  • 22
  • Can you provide the Ingress definition? `kubectl get ing -n -o yaml` Can you also confirm whether you have any kind of caching service in front of the ingress? And just to be clear, you are using the google GLB and GKE google ingress controller, correct? – Patrick W Dec 23 '21 at 19:01
  • Hi @tank. Can I help you with other information? If you think that my answer helped you, please consider accepting it by clicking the check mark (✔️) on the left side under the vote arrows. Should change the color to green. I'd really appreciate it. Thanks! – Nestor Daniel Ortega Perez Dec 27 '21 at 21:40
  • HI @NestorDanielOrtegaPerez unfortunately none of the methods worked for me and I am still struggling to make it work. Although your answer definitely guided me in right direction. So i upvoted it. – tank Dec 31 '21 at 11:12

1 Answers1

1

If you are going to update the secret with the new cert, it is meant to be picked up by the GCP ingress controller, and this one has to update the certificate on GCP. You can use the cert-manager to renew the certificate automatically.

Here is another process that works:

Create another secret with the new ssl certificate:

kubectl create secret tls mynewsecret --key mynewkey.key --cert mynewcert.crt

Edit ingress.yaml file in order to change the secretName:

...
apiVersion: extensions/v1beta1
kind: Ingress
spec:
tls:
secretName: mynewsecret
...

Apply the ingress.yaml:

kubectl apply -f ./ingress.yaml

You can also go to Kubernetes Engine > Services & Ingress > "Ingress" tab, click on the ingress you need to update its certificate, and click on the Edit link up on top to update its YAML. Use the information in the following URL as reference How to update ssl certificate for ingress https load balancer.

Another way to do it can be through the Console. Go to Network Services > Load Balancing and click on the Advanced menu link, then click on the Certificates tab to see what certs have been added to the project. Verify if your new cert shows up there as being in use by your ingress. A normal process with the Console UI is:

1.Add the new version of the cert to the project by clicking on "Create SSL Certificate" in the Advanced menu of the "Load balancing" interface.

2.Upload the new cert file in that interface you visited in step 1. Give it a meaningful name (let's call it "my-new-cert").

3.Update your ingress’ Deployment Manager config file to set properties.metadata.annotations.ingress.gcp.kubernetes.io/pre-shared-cert to my-new-cert.

4.Redeploy the ingress with a Deployment Manager command.

You can use this thread as reference too SSL Certificate not updating in Google Cloud Console GKE.

Finally, to update the SSL certificate via Heml Chart, take a look into this information How can I upgrade SSL certificate via helm chart?:

Nestor Daniel Ortega Perez
  • 1,046
  • 3
  • 10