K
Q

Google Container Engine - How to update L7 ingress to load new TLS certificate?

5/18/2016

I am using the standard L7 load balancing ingress on Google Container Engine. I have installed it through the following ingress definition:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: l7-ingress-{{environment}}
spec:
  tls:
    - secretName: web-secret
  backend:
    serviceName: web
    servicePort: 80

Now, my question is, how do I ensure that the TLS certificate is updated once the secret web-secret changes? AFAICT, it currently stays the same even though the underlying secret changes.

-- aknuds1
google-compute-engine
google-kubernetes-engine
kubernetes
load-balancing

Similar Questions

Staging and Production on Kubernetes
Access the kubernetes dashboard via https
Is there a limitation on 'concurrent tcp connections number' of google container engine's pod?
Maintaining replicated database in kubernetes

4 Answers

5/18/2016

Apparently, the L7 ingress doesn't currently monitor the TLS secret for changes. But a PR to solve this has been merged, so it should only be a matter of time.

-- aknuds1
Source: StackOverflow
5/20/2016

My experience to workaround this is to delete and create the ingress, but making sure you specify the IP in the YAML you pass to kubectl create -f:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dev-ing
spec:
  tls:
    - secretName: tls-sekret
  rules:
  - host: tryout.example.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
status:
  loadBalancer:
    ingress:
    - ip: 130.211.n.n

I couldn't find any documentation stating that this is the way to ensure you will get the same IP, but for me it worked. Use with caution on production systems where you can not afford to loose the IP!

-- John Doe
Source: StackOverflow
3/17/2017

I just tried a simple apply on an edited secret, and yes it worked. The web console and gcloud compute ssl-certificates list reported the change right away, and the load balancer started serving it up in about 10 minutes. It would be nice to have this officially documented! Especially because there are other corners of k8s where changes to secrets aren't automatically picked up, like deployments, so we don't take it for granted.

-- Gabe Kopley
Source: StackOverflow
9/18/2017

The Google L7 loadbalancer does exchange the underlying certificate if updated. You have to apply the correct annotations:

Secret

apiVersion: v1
kind: Secret
data:
  tls.crt: xxx
  tls.key: xxx
metadata:
  name: tls-secret
type: kubernetes.io/tls

Ingress

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: dev-ing
  annotations:
    # Do not forget this annotation
    kubernetes.io/ingress.class: "gce"
spec:
  tls:
    - hosts:
        - tryout.example.com
      secretName: tls-secret
  backend:
    serviceName: nginx
    servicePort: 80

The exchange happens somehow in the background, be aware of the time it takes (5-15 minutes).

-- Dag
Source: StackOverflow