Hi Community,
We are using Traefik Ingress Controller in our Kubernetes Cluster in AWS (EKS).
We use Network Load Balancer to allow access to Cluster.
Problem statement - Renewed TLS Certificates are not reflecting. Our TLS certificates are expiring in a month's time. We have renewed the certificate (I have mentioned the steps done for certificate renewal here), but the new certificates are not reflecting when we access the URL in browser.
Few details of our environment -
Kubernetes Version - 1.14
Traefik image - traefik:1.7
Here is short snippet of our treafik ingress controller (Indentation is corrupted during copy paste - pasted for reference.. It's a working copy)
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-corp-ingress-controller
namespace: kube-system
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-corp-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-corp-ingress-lb
spec:
replicas: 3
selector:
matchLabels:
k8s-app: traefik-corp-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-corp-ingress-lb
name: traefik-corp-ingress-lb
spec:
serviceAccountName: traefik-corp-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik:1.7
name: traefik-corp-ingress-lb
ports:
- name: https
containerPort: 443
args:
- --api
- --kubernetes
- --kubernetes.ingressclass=traefik-corp
- --logLevel=INFO
- --defaultentrypoints=https
- --entrypoints=Name:https Address::443 TLS
- --insecureSkipVerify=true
kind: Service
apiVersion: v1
metadata:
name: traefik-corp-ingress-service-v2
namespace: kube-system
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
selector:
k8s-app: traefik-corp-ingress-lb
ports:
- port: 443
name: https
type: LoadBalancer
We generated certificates 2 years back for wildcard with common name -
Common name: *.mydomain.company.com
Certificate Renewal process we followed (as its about to expire):
- Received new certificate from our security team with same common name. Received PFX file
Common name: *.mydomain.company.com - Used openssl to generate -> .key, .cer, .chain files
openssl pkcs12 -in wildcard.mydomain.company.com.1234567890.pfx -nocerts -nodes -out wildcard.mydomain.company.com.key
openssl pkcs12 -in wildcard.mydomain.company.com.1234567890.pfx -nocerts -nodes -out wildcard.mydomain.company.com.cer
openssl pkcs12 -in wildcard.mydomain.company.com.1234567890.pfx -nocerts -nodes -out wildcard.mydomain.company.com.chain - Applied new TLS certificate in cluster
kubectl delete secret wildcard-my-tls-cert -n dev
kubectl create secret tls wildcard-my-tls-cert --key=wildcard.mydomain.company.com.key --cert=wildcard.mydomain.company.com.cer -n dev
I checked in Kubernetes dashboards and the certificates are updated. - Example of sample ingress resource we create -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{.Chart.Name}}-corp
annotations:
kubernetes.io/ingress.class: traefik-corp
spec:
rules:
- host: dev-customer-service.mydomain.company.com
http:
paths:
- path: /
backend:
serviceName: customer-service
servicePort: 80
tls:
- secretName: wildcard-my-tls-cert
**New Certificates are not reflecting. **
Any advice from the community what further details we should check to fix the issue.