Help Center/ Cloud Container Engine_Autopilot/ User Guide/ Clusters/ Upgrading a Cluster/ Troubleshooting for Pre-upgrade Check Exceptions/ HTTPS Load Balancer Certificate Consistency
Updated on 2024-11-21 GMT+08:00
View PDF
Share

HTTPS Load Balancer Certificate Consistency

Check Items

Check whether the certificate used by an HTTPS load balancer has been modified on ELB.

Solution

The certificate referenced by an HTTPS ingress created on CCE is modified on the ELB console. This leads to inconsistent certificate content in the CCE cluster and that required by the load balancer. After the CCE cluster is upgraded, the load balancer's certificate is overwritten.

  1. Log in to the ELB console, choose Elastic Load Balance > Certificates, locate the certificate, and find the secret_id in the certificate description.

    Figure 1 Viewing a certificate

    The secret_id is the metadata.uid of the secret in the cluster. Use this UID to obtain the secret name in the cluster.

    Run the following kubectl command to obtain the Secret name (replace <secret_id> with the actual value): 
    kubectl get secret --all-namespaces -o jsonpath='{range .items[*]}{"uid:"}{.metadata.uid}{" namespace:"}{.metadata.namespace}{" name:"}{.metadata.name}{"\n"}{end}' | grep <secret_id>

  2. Replace the certificate used by an Ingress with the one used by the load balancer. Then, you can create or edit the certificate on the ELB console.

    1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane on the left, choose Services & Ingresses. Click the Ingresses tab, locate the row containing the ingress that uses the certificate, and choose More > Update in the Operation column. If multiple ingresses are using this certificate, update the certificate for all of these ingresses. To check which ingresses are using a certificate, use the secretName parameter in spec.tls of the ingress YAML files.

      Run the following kubectl command to obtain the ingresses using a certificate (replace <secret_name> with the actual value):

      kubectl get ingress --all-namespaces -o jsonpath='{range .items[*]}{"namespace:"}{.metadata.namespace}{" name:"}{.metadata.name}{" tls:"}{.spec.tls[*]}{"\n"}{end}' | grep <secret_name>
    2. When configuring a listener, select ELB server certificate for Certificate Source and click OK. In this way, the certificate can be created or edited on the ELB console.
    3. On the ConfigMaps and Secrets page, delete the target secret. Before the deletion, back up data.

Parent Topic: Troubleshooting for Pre-upgrade Check Exceptions