HTTPS Load Balancer Certificate Consistency
Check Items
Check whether the certificate used by an HTTPS load balancer has been modified on ELB.
Solution
The certificate referenced by an HTTPS ingress created on CCE is modified on the ELB console. This leads to inconsistent certificate content in the CCE cluster and that required by the load balancer. After the CCE cluster is upgraded, the load balancer's certificate is overwritten.
- Log in to the ELB console, choose Elastic Load Balance > Certificates, locate the certificate, and find the secret_id in the certificate description.
Figure 1 Viewing a certificate
The secret_id is the metadata.uid of the secret in the cluster. Use this UID to obtain the secret name in the cluster.
Run the following kubectl command to obtain the Secret name (replace <secret_id> with the actual value):kubectl get secret --all-namespaces -o jsonpath='{range .items[*]}{"uid:"}{.metadata.uid}{" namespace:"}{.metadata.namespace}{" name:"}{.metadata.name}{"\n"}{end}' | grep <secret_id> - Replace the certificate used by an Ingress with the one used by the load balancer. Then, you can create or edit the certificate on the ELB console.
- Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane on the left, choose Services & Ingresses. Click the Ingresses tab, locate the row containing the ingress that uses the certificate, and choose More > Update in the Operation column. If multiple ingresses are using this certificate, update the certificate for all of these ingresses. To check which ingresses are using a certificate, use the secretName parameter in spec.tls of the ingress YAML files.
Run the following kubectl command to obtain the ingresses using a certificate (replace <secret_id> with the actual value):
kubectl get ingress --all-namespaces -o jsonpath='{range .items[*]}{"namespace:"}{.metadata.namespace}{" name:"}{.metadata.name}{" tls:"}{.spec.tls[*]}{"\n"}{end}' | grep <secret_name> - When configuring a listener, select ELB server certificate for Certificate Source and click OK. In this way, the certificate can be created or edited on the ELB console.
- On the ConfigMaps and Secrets page, delete the target secret. Before the deletion, back up data.
- Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane on the left, choose Services & Ingresses. Click the Ingresses tab, locate the row containing the ingress that uses the certificate, and choose More > Update in the Operation column. If multiple ingresses are using this certificate, update the certificate for all of these ingresses. To check which ingresses are using a certificate, use the secretName parameter in spec.tls of the ingress YAML files.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
