apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cafe-ingress annotations: kubernetes.io/ingress.class: "nsx" spec: tls: - hosts: - cafe.example.com secretName: cafe-secret rules: - host: cafe.example.com http: paths: - path: /tea pathType: ImplementationSpecific backend: service: name: tea-svc port: number: 80
Run the below command once the file ingress.yaml is populated with the above content
- kubectl apply -f ingress.yaml
Confirm ingress creation using the below command
- kubectl get ingress -A
2. Confirm that L7 HTTP Virtual Server exists on NSX-T Manager. Go to NSX Manager Networking -> Load Balancing -> Virtual Servers filter for Type L7 HTTP
3. Rotate the certificate using the REPLACE CERT section below
4. Confirm new cert imported and old cert should be automatically removed in NSX Manager under System -> Certificates
5. Delete ingress created in step 1
- kubectl delete -f ingress.yaml
Note: This should not require any restart in NCP
REPLACE CERT:
1. Generate CSR from vCenter UI under Cluster -> Configure -> Supervisor Cluster -> Certificates -> NSX Load Balancer Pane -> Actions > Generate CSR
2. Provide the details for the certificate. Once the CSR is generated, click Copy.
3. Copy CSR to vCenter in order to get it signed by VMCA. (you can get the CSR signed by your own CA if you are using custom CA)
4. Execute /usr/lib/vmware-vmca/bin/certool --gencertfromcsr --csrfile cert.csr --cert lb-renew.crt
5. Copy the content of lb-renew.crt and replace it under Actions > Replace Certificate.
6. Check NSX Manager -> System -> Certificates. New certificate should appear.
Note:- If you have not created Ingress initially or not followed Create Ingress steps and directly tried to REPLACE CERT, then there would be two certificates on NSX manager. Follow the below workaround to delete the old cert.