-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GLBC: k8s 1.6 fails to replace certificate #609
Comments
I'm able to reproduce with the following steps;
The following is logged:
During the first sync after restart, the certificate is re-created using the primary name, the HTTPS Target Proxy is updated, but the certificate with the secondary name is not deleted. On next secret change, the controller will fail to create a certificate since the secondary name is used. I'll write up a fix. |
cc'ing @thockin who has experienced this before. |
I also have a cluster this has been happening in for many months. If y'all need more data, I'm willing to provide! |
Environment: Kubernetes 1.6 on GKE.
On https://console.cloud.google.com/home/activity?project=MyProjectName I saw that every 10 minutes kubernetes tried to replace the SSL certificate on GLBC, with the following error message:
I then proceeded to go to https://console.cloud.google.com/networking/loadbalancing/advanced/sslCertificates/list?project=MyProjectName and removed the unused certificate k8s-ssl-default-ingress-xxxxxxxxx (notice that this was the unused cert but did not have the ssl-1 name).
After a short while there was a new ssl-default cert (same suffix as before) marked as used, and the ssl-1-default cert was marked as unused.
Now, every 10 minutes https://console.cloud.google.com/home/activity?project=MyProjectName reports that the SSL cert on GLBC was successfully updated.
The state of my certs are now
ssl-1-default: Unused.
ssl-default: Used.
No error messages in the activity log.
The text was updated successfully, but these errors were encountered: