search

GoogleCloudPlatform / gke-managed-certs

Managed Certificates for Kubernetes clusters using GCLB
Apache License 2.0
246 stars 32 forks source link

Adding domains to ManagedCertificate doesn't update the certificate #53

Closed dpkirchner closed 3 years ago

dpkirchner commented 3 years ago

Adding a domain to the domains array in a ManagedCertificate object doesn't update the certificate, instead an error is logged (visible in kubectl get events):

system 0s Warning   BackendError managedcertificate/iap googleapi: Error 400: The ssl_certificate resource 'projects/project/global/sslCertificates/mcrt-uuid' is already being used by 'projects/project/global/targetHttpsProxies/k8s2-etc', resourceInUseByAnotherResource

My ManagedCertificate object (sans managedFields, etc):

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: iap
  namespace: system
spec:
  domains:
  - tool1.ops.company.internal
  - tool2.ops.company.internal
  - tool3.ops.company.internal
  - tool4.ops.company.internal
  - new-domain-not-working.ops.company.internal
status:
  certificateName: mcrt-uuid
  certificateStatus: Active
  domainStatus:
  - domain: tool1.ops.company.internal
    status: Active
  - domain: tool2.ops.company.internal
    status: Active
  - domain: tool3.ops.company.internal
    status: Active
  - domain: tool4.ops.company.internal
    status: Active
  expireTime: "2021-08-30T17:34:11.000-07:00"

The certificate is indeed in use, however I expected to be able to add a new domain to the certificate. IIRC, this worked a long while back, but I don't remember exactly when (unfortunately).

If this is intended I'd like to request an update to the controller that either rejects the attempt to add a domain to the list or shows the error in the ManagedCertificate status object.

krzykwas commented 3 years ago

It is impossible to update the underlying GCP SslCertificate object; instead the current one must be deleted and a new one created from scratch. This is what the automation tries to do, however it can't proceed until the current underlying GCP certificate is released.

It was considered to implement an admission controller that would block updates to ManagedCertificate, however it would require a significant amount of work, and the decision was not to do it.

dpkirchner commented 3 years ago

Ok, thanks.