I've updated the SSL certificate for my Kubernetes Ingress services, but I don't know how to restart the instances to use the updated cert secret without manually deleting and restarting the Ingress instances. That isn't ideal because of the number of ingresses that are making use of that specific cert (all sitting on the same TLD). How do I force it to use the updated secret?
You shouldn't need to delete the Ingress object to use the updated TLS Secret.
GKE Ingress controller (https://github.com/kubernetes/ingress-gce) automatically picks up the updated Secret resource and updates it. (Open an issue on the repo if it doesn't).
If you're not seeing the changes in ~10-20 minutes, I recommend editing the Ingress object trivially (for example, add a label or an annotation) so that the ingress controller picks up the object again and evaluates goal state vs the current state, then goes ahead to make the changes (update the TLS secret).
Turns out the reason why it wasn't updating was that the certs weren't chained properly; I uploaded the ca-bundle without the actual end cert, and I guess Google refuses to update the LB certs if they're not a valid chain. Which is weird, but, okay, sure.