CODEWITHSUNDEEP
load-balancinggoogle-compute-enginekubernetesgoogle-kubernetes-engine
aknuds1
aknuds1

Reputation: 67997

Google Container Engine - How to update L7 ingress to load new TLS certificate?

I am using the standard L7 load balancing ingress on Google Container Engine. I have installed it through the following ingress definition:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: l7-ingress-{{environment}}
spec:
  tls:
    - secretName: web-secret
  backend:
    serviceName: web
    servicePort: 80

Now, my question is, how do I ensure that the TLS certificate is updated once the secret web-secret changes? AFAICT, it currently stays the same even though the underlying secret changes.

Upvotes: 3

Views: 1635

Answers (4)

Dag
Dag

Reputation: 10539

The Google L7 loadbalancer does exchange the underlying certificate if updated. You have to apply the correct annotations:

Secret

apiVersion: v1
kind: Secret
data:
  tls.crt: xxx
  tls.key: xxx
metadata:
  name: tls-secret
type: kubernetes.io/tls

Ingress

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: dev-ing
  annotations:
    # Do not forget this annotation
    kubernetes.io/ingress.class: "gce"
spec:
  tls:
    - hosts:
        - tryout.example.com
      secretName: tls-secret
  backend:
    serviceName: nginx
    servicePort: 80

The exchange happens somehow in the background, be aware of the time it takes (5-15 minutes).

Upvotes: 1

Gabe Kopley
Gabe Kopley

Reputation: 16677

I just tried a simple apply on an edited secret, and yes it worked. The web console and gcloud compute ssl-certificates list reported the change right away, and the load balancer started serving it up in about 10 minutes. It would be nice to have this officially documented! Especially because there are other corners of k8s where changes to secrets aren't automatically picked up, like deployments, so we don't take it for granted.

Upvotes: 2

John Doe
John Doe

Reputation: 31

My experience to workaround this is to delete and create the ingress, but making sure you specify the IP in the YAML you pass to kubectl create -f:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dev-ing
spec:
  tls:
    - secretName: tls-sekret
  rules:
  - host: tryout.example.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
status:
  loadBalancer:
    ingress:
    - ip: 130.211.n.n

I couldn't find any documentation stating that this is the way to ensure you will get the same IP, but for me it worked. Use with caution on production systems where you can not afford to loose the IP!

Upvotes: 3

aknuds1
aknuds1

Reputation: 67997

Apparently, the L7 ingress doesn't currently monitor the TLS secret for changes. But a PR to solve this has been merged, so it should only be a matter of time.

Upvotes: 4

Related Questions