Updating SSL certificates in Kubernetes on Oracle Cloud

When you secure your servers and APIs, you need SSL certificates. Since they don't last for ever, you will have to update them every year, or every other year.

In OKE (Kubernetes on Oracle Cloud), there are two slightly different ways of doing this, depending on the kind of component you are using. Unfortunately, the Oracle documentation does not describe how to update SSL certificates in Kubernetes. 

Update an Ingress controller 

An ingress that is used for SSL termination looks something like this: 

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ing
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - secretName: my-ssl-secret-name
  rules:
  - http:
      paths:
      - backend:
          serviceName: my-backend-svc
          servicePort: 8088

The Oracle documentation has a clear description of how to setup an ingress controller with TLS. Basically you create an ingress controller and a TLS secret and apply an ingress.yaml.  Note that when you check the load balancer in the OCI console that is associated with the ingress, there is no SSL certificate listed there, this is completely handled from within the Kubernetes cluster.

There is no mention of how to update the certificate but that is actually very simple: you can update the values in the existing Kubernetes secret (for example using the dashboard or a script) and the ingress controller will pick up the new certificate automatically. 

Update a service of type Load Balancer

A service of type load balancer yaml looks something like this: 

kind: Service
apiVersion: v1
metadata:
  name: my-frontend-service
  annotations:
    service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/oci-load-balancer-tls-secret: my-ssl-secret-name

spec:
  selector:

Again, the Oracle documentation has a clear description of how to setup a service with a load balancer.  It describes a similar procedure: you create a service and secret in Kubernetes and apply this. However, because the kind of deployment is a service which specifies a load balancer, the certificate is picked up by the OCI Load Balancer and copied there.

Again there is no mention of how to update the certificate. When you change the value of the certificate in the secret in Kubernetes, the change is not picked up by the OCI Load Balancer. There are a lot of warnings in the documentation not to change it in OCI directly, so that is not an option.  The procedure to update the certificate is:

1. Create a new secret with a new certificate and private key
2. Update the service yaml to point to the new secret
3. Apply the updated service yaml (don't create the service, just apply the updated yaml on the existing service) using kubectl apply -f [name of your yaml]
4. Delete the previous secret.

To streamline the procedure, we have decided to create a new secret for both the ingress controller and the service so we don't end up with multiple secrets containing the same wildcard certificate and to make sure we can use one procedure for both types of components.

I hope the documentation will be updated by Oracle to include an instruction for updating SSL certificates. In the mean time I hope this post helps you when you need to update your SSL certificates. 

Happy coding! 😀

Upgrade your kubeconfig in Oracle Cloud Infrastructure to version 2.0.0

On September 16th, Oracle sent out a notification about a change that needs action before November 15th 2019: you need to upgrade your kubeconfig file from version 1.0.0 to version 2.0.0

Unfortunately, the links in the mail don't describe how to upgrade it, just how to download it....

So here is a short blog that describes what I did on my machine to upgrade my kubecofig file.

Update the config file

1. open a command window
2. type oci -v
3. If the version is 2.6.4 or higher, you are fine. Otherwise type: pip install oci-cli --upgrade Take a look at this page if you encounter issues: Upgrading the CLI
4. type oci ce cluster create-kubeconfig --cluster-id [your cluster ocid] --file $HOME/.kube/config --region [your region] --token-version 2.0.0 

The response should be:

Existing Kubeconfig file found at C:\Users\ldikmans/.kube/config and new config merged into it

Test the new config

Please make sure you test your configuration by starting your proxy and open a browser that points to it:

1. Open a command window
2. Type kubectl proxy
3. Open a browsser window
4. Add the URL: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
5. Select your updated kubeconfig file

Fix problems

If you get the error "Not enough data to create auth info structure." ,  follow these steps:

1. open a command prompt
2. type kubectl get secrets -n kube-system
3. type kubectl describe secret -n kube-system kubernetes-dashboard-token-jjtzg (or whatever your dashboard service account user has as a token)
4. copy the resulting token
5. open the browser 
6. Add the URL: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
7. Select "Token"
8. Paste the token you copied in step 4 in the field for token

When the dashboard opens properly, store the token in a file so you can copy it in the next time.

Now you are all set!

Happy coding 😀



ps: I would have been nice if this instruction was in the mail Oracle sent. Unfortunately it points to a link that contains the regular installation that does not explain it will merge it automatically. The good news is it was easier than it looked!

ps2: I think you should be able to store the token in the config file as well. However, so far I did not manage to make this work in my environment.