Ingress certificates created in the Tencent Kubernetes Engine (TKE) console will reference certificates hosted in the SSL Certificate Service. If an Ingress is used for a long time, the Ingress certificate may expire, which will have a major impact on online businesses. This document describes how to renew an Ingress certificate before it expires.
Querying the certificate expiration time
- Log in to the SSL Certificate Service console and click Certificate Management in the left sidebar.
- In the certificate list, click Expiry date to view certificates that are about to expire.
Adding a certificate
On the Certificate management page, you can renew an existing certificate to generate a new certificate. You can Purchase certificate, Apply for free certificate, or Upload certificate to add a certificate.
Viewing Ingresses referencing old certificate
- Log in to the SSL Certificate Service console and select Associate cloud resources next to a certificate to view the load balancer that references this certificate.
- Click the load balancer ID to redirect to the CLB details page. If the CLB is used for the TKE Ingress,
tke-lb-ingress-uuid will appear in the Tag section.
tke-lb-ingress-uuid indicate the cluster ID and Ingress UID, respectively.
- On the Basic info page of the CLB, click the editing icon in the tag line to enter the Edit tags page.
- Use Kubectl to query the Ingress of the cluster based on the cluster ID and filter out the Ingress resource whose UID is
tke-lb-ingress.uuid. The sample reference code is as follows:
$ kubectl get ingress --all-namespaces -o=custom-columns=NAMESPACE:.metadata.namespace,INGRESS:.metadata.name,UID:.metadata.uid | grep 1a******-****-****-a329-eec697a28b35
api-prod gateway 1a******-****-****-a329-eec697a28b35
According to the query result,
api-prod/gateway in this cluster references the certificate. Therefore, this Ingress needs to be updated.
Updating an Ingress
- In the TKE console, find the Ingress that references the old certificate and click Update forwarding configuration.
- On the Update forwarding configuration page, create a secret for the new certificate.
On the Create key page, select the new certificate and click Create secret.
Return to the Update forwarding configuration page, modify the TLS configuration of the Ingress, and add the created certificate secret.
Click Update forwarding configuration to renew the Ingress certificate.