HTTPS Load Balancer Certificate Consistency¶
Check Items¶
Check whether the certificate used by an HTTPS load balancer has been modified on ELB.
Solution¶
The certificate referenced by an HTTPS Ingress created on CCE is modified on the ELB console. This leads to inconsistent certificate content in the CCE cluster and that required by the load balancer. After the CCE cluster is upgraded, the load balancer's certificate is overwritten.
Log in to the ELB console, choose Elastic Load Balance > Certificates, locate the certificate, and find the secret_id in the certificate description.
The secret_id is the metadata.uid of the Secret in the cluster. Use this UID to obtain the Secret name in the cluster.
Run the following kubectl command to obtain the Secret name (replace <secret_id> with the actual value):
kubectl get secret --all-namespaces -o jsonpath='{range .items[*]}{"uid:"}{.metadata.uid}{" namespace:"}{.metadata.namespace}{" name:"}{.metadata.name}{"\n"}{end}' | grep <secret_id>
Only clusters of v1.19.16-r2, v1.21.5-r0, v1.23.3-r0, and later versions support certificates required by load balancers. For clusters of the earlier versions, see Solution 1. For clusters of other versions, see Solution 2.
Solution 1: Replace the certificate used by an Ingress with the one used by the load balancer. Then, you can create or edit the certificate on the ELB console.
Log in to the CCE console and click the cluster name to access the cluster console. Choose Networking in the navigation pane, click the Ingresses tab, locate the row containing the Ingress that uses the certificate, and choose More > Update in the Operation column. If multiple Ingresses are using this certificate, update the certificate for all of these Ingresses. To check which Ingresses are using a certificate, use the secertName parameter in spec.tls of the Ingress YAML files.
Run the following kubectl command to obtain the Ingresses using a certificate (replace <secret_id> with the actual value):
kubectl get ingress --all-namespaces -o jsonpath='{range .items[*]}{"namespace:"}{.metadata.namespace}{" name:"}{.metadata.name}{" tls:"}{.spec.tls[*]}{"\n"}{end}' | grep <secret_name>
When configuring a listener, select ELB server certificate for Certificate Source and click OK. In this way, the certificate can be created or edited on the ELB console.
On the Configurations And Secrets page, delete the target Secret. Before the deletion, back up data.
Solution 2: Overwrite the certificate used by an Ingress with the corresponding Secret resource of the cluster to prevent the certificate being updated on the ELB console during the cluster upgrade.
Log in to the CCE console and click the cluster name to access the cluster console. Choose Configurations And Secrets from the navigation pane, click the Secrets tab, locate the row containing the target Secret, click Update in the Operation column, and enter the certificate you are using.