Automatically delete certificates when cluster or ingress is shutdown

[hadim]

When shutting down a cluster the associated certificates with the ingresses are not being deleted and tend to accumulate. I figure this out when reaching the quota of 30 certs. No new ones were created and it took me time to realize it was a quota issue.

Does that make sense to add an option to the ingress object annotation to delete a cert whenever an ingress or the whole cluster is deleted?

Or maybe at the level of the GCP load balancer?

[krzykwas]

The certificates will be deleted if you follow the cleanup procedure, i. e. delete the ManagedCertificate resources (and possibly detach them from the managed-certificates annotation). Once you do that, you should allow some time for the automation to catch up the changes. Would this be an option for you?

[hadim]

What do you mean by " follow the cleanup procedure`? At the moment after the cluster has been deleted I wait for ~30s and then perform manually the deletion:

gcloud compute ssl-certificates delete --quiet $CERTIFICATE_NAME

If that manual deletion could be done automatically when the certificate was attached to a GKE cluster but is not anymore that would perfect. Is that the kind of mechanism you are talking about?

[krzykwas]

Could you tear down the ManagedCertificate resources, e. g. kubectl delete mcrt --all, and then delete the cluster?

[hadim]

Oh I see. I could do that definitively. Would that also delete the certificate on GCP or is it a feature not available yet?

[krzykwas]

It will if you give it enough time.

[hadim]

Thanks @krzykwas. I will report here next time I delete a cluster.

[hadim]

Indeed it works with kubectl delete mcrt --all -A. I thought this kind of explicit deletion was called upon cluster deletion using gcloud but no it's important to call kubectl delete mcrt --all -A.

Thanks @krzykwas .

[zhixinwen]

I think we should not remove the certificates automatically, otherwise it will be hard to do cluster migration like https://stackoverflow.com/questions/61794789/how-to-migrate-managedcertificates-from-regional-to-zonal-gke-cluster-without-do.

One side question: how can I compete the migration? I want to create the certificate in the new cluster, but looks like I have to delete old certificate first otherwise it would stuck in provisioning. And delete old certificates would cause downtime?

[krzykwas]

The standard way to do the migration is to use a self-managed certificate https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs.

In the situation described on Stackoverflow, I suggest to create a new ManagedCertificate in the new cluster, and attach it to the new GKE Ingress. After the new ManagedCertificate becomes Active, please wait 5 more minutes and then remove the old SslCertificate (mcrt-...) from the pre-shared-cert annotation on the new Ingress, and proceed with deleting whatever was left in the old cluster.

Make sure NOT to remove from the pre-shared-cert annotation on the new GKE Ingress the SslCertificate created by the new ManagedCertificate (also named mcrt-..., with a different suffix).