Background:

SSL certificates are issued for one year. By June, the annual certificate replacement day had arrived at……. . In the past, the method has always been to delete secret and then proceed to create a new one. With respect to sudden whim this time, still have other method…… Baidu also really searched:

https://blog.csdn.net/cyxinda/article/details/107854881

My certificate is the TrustAsia domain name (DV) wildcard (1 year) SSL certificate purchased from Tencent cloud.



After all, considering the cost of applying for DV’s generic domain name certificate. The difference between DV OV certificates:

This image is from the Internet

About how secret TLS is created

You can refer to Secrethttps://kubernetes.io/zh/docs/concepts/configuration/secret/. Official documentation of Kubernetes. I’m just going to create a TLS secret

In the Tencent cloud platform SSL management pagehttps://console.cloud.tencent.com/ssl



Find the relevant certificate and click Download to download the certificate to the local.

Upload the certificate to the server and extract the ZIP file. The list of unzipped files is as follows



I went directly to the Nginx folder and the list of files is as follows:



Of course, the other platform application certificate may not be such (remember Ali cloud is not such to, you can openssl turn?)

 kubectl create secret tls all-xxx-com --key=2_xxx.com.key --cert=1_xxx.com_bundle.crt -n master

The Traefik application certificate can be referred to: Traefik2 installation to achieve HTTP HTTPS, 2019-12-27-Traefik. Now enter the topic switch to modify the expiration certificate… Note: the following reference https://blog.csdn.net/cyxinda/article/details/107854881

There are several ways to replace TLS certificates in Kubernetes:

1. Delete and rebuild

This is probably the most common… I used to use it a lot anyway

kubectl delete secret all-xxx.com -n master
kubectl create secret tls all-xxx-com --key=2_xxx.com.key --cert=1_xxx.com_bundle.crt -n master

2. Preview with the –dry-run parameter, then apply

kubectl create secret tls all-xxx-com --key=2_xxx.com.key --cert=1_xxx.com_bundle.crt -n master --dry-run -o yaml |kubectl apply -f -

Just a refresher -dry-run command. It’s also elegant. Update the secret by Apply.

3. Can I edit and modify the contents of the secret key in the secret

kubectl edit secret all-xxxcom -n master



Base64 1_xxx.com_bundle. CRT replaces the content in secret tls. CRT with the content in base64 2_xxx.com.key

4. A more elegant approach:



Personally, I prefer the second approach to……

To summarize:

  1. Removing and rebuilding is the dumbest way to do it, but it can’t be done in other ways. There is a risk in deleting the empty window of a new secret
  2. The Kubernetes API allows you to update or interact with metadata via JSON or YAML files
  3. The dry-run parameter is useful
  4. Secret is also based on namespaces. The same secret exists in many namespaces. Is there a convenient way to manage it?