Help Center/ Cloud Container Engine/ FAQs/ Networking/ Network Configuration/ How Can I Synchronize Certificates When Multiple Ingresses in Different Namespaces Share a Listener?
Updated on 2024-11-11 GMT+08:00

How Can I Synchronize Certificates When Multiple Ingresses in Different Namespaces Share a Listener?

Context

In a cluster, multiple ingresses can share the same listener, allowing them to use the same port on a single load balancer. When two ingresses are set up with HTTPS certificates, the server certificate that is used will be based on the configuration of the earliest ingress.

If ingresses in separate namespaces use the same listener and TLS certificates, due to namespace isolation, the secrets associated with the TLS certificates may not display normally for the ingress that was created later.

The following table shows an example for the configurations of two ingresses.

Ingress Name

ingress1

ingress2

Namespace

namespace1

namespace2

Creation Time

2024-04-01

2024-04-02

Protocol

HTTPS

HTTPS

Load Balancer

elb1

elb1

Port

443

443

Certificate Source

TLS key

TLS key

Secret Corresponding to the TLS Secret

namespace1/secret1

namespace2/secret2

Valid Certificate

namespace1/secret1

namespace1/secret1

Symptom

Within a given cluster, ingress1 and ingress2 are created in namespace1 and namespace2, respectively. Both ingresses connect to the same listener and use TLS certificates.

Ingress1's certificate is used because ingress1 was created first. But, ingress2 cannot read the configuration of secret1 because it is in a different namespace than namespace1. As a result, the configuration page of ingress2 will display the following information.

Solution

Each load balancer certificate has a corresponding TLS key, and the key content is identical. The CCE agency permissions enable access to certificate information without namespace restrictions. This means that you can switch the certificate source of ingress1 to the server certificate and assign the load balancer certificate corresponding to the TLS key. The configuration modification page of ingress2 displays the server certificate that works.

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Services & Ingresses, click the Ingresses tab, and click the load balancer link of ingress1 to go to the ELB console.
  3. Click the Listeners tab, find the listener based on the port configured for ingress1, and click the listener name to go to the details page.
  4. On the page displayed, find and record the server certificate.

  5. Go back to the CCE console. On the Ingresses tab, locate the row containing ingress1 and choose More > Update in the Operation column. In the window that slides out from the right, set Certificate Source to ELB server certificate, select the server certificate obtained in the previous step, and click OK.

    The certificate source of ingress1 has been changed from the TLS key to the server certificate, but the key content remains the same, as does the configuration that is applied.

  6. Switch to namespace2. On the Ingresses tab, locate the row containing ingress2 and choose More > Update in the Operation column. In the window that slides out from the right, locate the Server Certificate parameter in the Listener area, click Synchronize, and click OK.

  7. Verify that the configuration of ingress2 is displayed properly after the update is complete.