How Can I Synchronize Certificates When Multiple Ingresses in Different Namespaces Share a Listener?
Context
In a cluster, multiple ingresses can share the same listener, allowing them to use the same port on a single load balancer. When two ingresses are set up with HTTPS certificates, the server certificate that is used will be based on the configuration of the earliest ingress.
If ingresses in separate namespaces use the same listener and TLS certificates, due to namespace isolation, the secrets associated with the TLS certificates may not display normally for the ingress that was created later.
The following table shows an example for the configurations of two ingresses.
|
Ingress Name |
ingress1 |
ingress2 |
|---|---|---|
|
Namespace |
namespace1 |
namespace2 |
|
Creation Time |
2024-04-01 |
2024-04-02 |
|
Protocol |
HTTPS |
HTTPS |
|
Load Balancer |
elb1 |
elb1 |
|
Port |
443 |
443 |
|
Certificate Source |
TLS key |
TLS key |
|
Secret Corresponding to the TLS Secret |
namespace1/secret1 |
namespace2/secret2 |
|
Valid Certificate |
namespace1/secret1 |
namespace1/secret1 |
Symptom
Within a given cluster, ingress1 and ingress2 are created in namespace1 and namespace2, respectively. Both ingresses connect to the same listener and use TLS certificates.
Ingress1's certificate is used because ingress1 was created first. But, ingress2 cannot read the configuration of secret1 because it is in a different namespace than namespace1. As a result, the configuration page of ingress2 will display the following information.
Solution
Each load balancer certificate has a corresponding TLS key, and the key content is identical. The CCE agency permissions enable access to certificate information without namespace restrictions. This means that you can switch the certificate source of ingress1 to the server certificate and assign the load balancer certificate corresponding to the TLS key. The configuration modification page of ingress2 displays the server certificate that works.
- Log in to the CCE console and click the cluster name to access the cluster console.
- In the navigation pane, choose Services & Ingresses, click the Ingresses tab, and click the load balancer link of ingress1 to go to the ELB console.
- Click the Listeners tab, find the listener based on the port configured for ingress1, and click the listener name to go to the details page.
- On the page displayed, find and record the server certificate.
- Go back to the CCE console. On the Ingresses tab, locate the row containing ingress1 and choose More > Update in the Operation column. In the window that slides out from the right, set Certificate Source to ELB server certificate, select the server certificate obtained in the previous step, and click OK.
The certificate source of ingress1 has been changed from the TLS key to the server certificate, but the key content remains the same, as does the configuration that is applied.
- Switch to namespace2. On the Ingresses tab, locate the row containing ingress2 and choose More > Update in the Operation column. In the window that slides out from the right, locate the Server Certificate parameter in the Listener area, click Synchronize, and click OK.
- Verify that the configuration of ingress2 is displayed properly after the update is complete.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
