GCP load-balancer ssl certificate resets itself after change

Question

So I need to change an expired SSL certificate. Unfortunately, the one responsible for this task has passed away suddenly. I have no experience with google cloud, kuberneted or ingress.

If I go to the google cloud console, to load balancers and click on the only one shown, it shows the certificate named "k8s-ssl-xyz" which is the expired one I need to change. I tried editing this load balancer, under frontend-settings and creating a new certificate. That worked, but after a few minutes it reverts itself back to the old certificate.

Under kubernetes engine, services and ingress there is a service called "basic-ingress4". It's yaml file contains a line stating:

ingress.kubernetes.io/ssl-cert: k8s-ssl-xyz

I tried changing "k8s-ssl-xyz" to the name of the certificate I created earlier, but it also gets reversed to the old one after a while.

gcloud beta compute ssl-certificates list

Returns:

NAME            TYPE   CREATION_TIMESTAMP    EXPIRE_TIME      MANAGED_STATUS
k8s-ssl-xyz                  2019-10-01          2019-08-15
newcert         MANAGED     2019-09-30          2019-12-29        ACTIVE
    x.yz.de: ACTIVE

I also tried

gcloud compute target-https-proxies update k8s-tps-xyz --ssl-certificates newcert

And it returned "Updated [...]" but it didn't work either.

Basically, I am lost here. How can I change this certificate without it resetting itself?

Answer 1

I worked it out. The basic-ingress4 service had an entry in it's yaml called 'spec->tls->secretName'. Running the command kubectl get secrets returned a secret with this name. kubectl describe secret/secretname returned it was indeed a tls secret for the host I wanted to change the secret for.

So by doing

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=foo.bar.com"

followed by

kubectl create secret tls foo-secret --key /tmp/tls.key --cert /tmp/tls.crt

I created a new secret containing a new certificate. Changing the secretName key in the yaml file to the new name of the secret foo-secret finally changed the certificate for good.

/E: If one wants to use a google managed certificate, removing the 'secretName' entry and changing the load balancer to a google managed certificate works.