Create an L7 ingress resource which will trigger the creation of L7 Virtual Server and when the certificate is rotated using the following steps, NCP will replace the existing/old certificate.
If you have an Ingress resource that exists already, you can skip the following steps and go to REPLACE CERT section.
Create Ingress:
- Create L7 ingress resource as below:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
kubernetes.io/ingress.class: "nsx"
spec:
tls:
- hosts:
- cafe.example.com
secretName: cafe-secret
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80
Run the following command once the file ingress.yaml
is populated with the preceding content
kubectl apply -f ingress.yaml
Confirm ingress creation using the following command
kubectl get ingress -A
- Confirm that L7 HTTP Virtual Server exists on NSX-T Manager. Go to NSX Manager Networking -> Load Balancing -> Virtual Servers filter for Type L7 HTTP
- Rotate the certificate using the REPLACE CERT section below
- Confirm new certificate is imported and old certificate should be automatically removed in NSX Manager under System -> Certificates
- Delete ingress created in step 1
kubectl delete -f ingress.yaml
Note: This should not require any restart in NCP
REPLACE CERT:
- Generate CSR from vCenter UI under Cluster -> Configure -> Supervisor Cluster -> Certificates -> NSX Load Balancer Pane -> Actions > Generate CSR
- Provide the details for the certificate. Once the CSR is generated, click Copy.
- Copy CSR to the vCenter appliance in order to get it signed by VMCA. (you can get the CSR signed by your own CA if you are using custom CA)
- Execute /usr/lib/vmware-vmca/bin/certool --gencertfromcsr --csrfile cert.csr --cert lb-renew.crt
- Copy the content of lb-renew.crt and replace it under Actions > Replace Certificate.
- Check NSX Manager -> System -> Certificates. The new certificate should be visibile.
Note:- If you have not created Ingress initially or not followed Create Ingress steps and directly tried to REPLACE CERT, then there would be two certificates on NSX manager. Follow the below workaround to delete the old cert.
Workaround:
(to delete the old certificate if it is sill present, per the Note in Step 6 of the REPLACE CERT section)
- In NSX manager copy the old certificate Id with name lb-domain-#### issued to defaultingress.local under System -> Certificates. Alternatively, this can be fetched by "GET /policy/api/v1/infra/certificates/" API call and compare pem_encoded or _create_time in the returned JSON.
- Use the following API call to remove the expiring certificate. NSX will do a dependency check and block deletion if the cert is used anywhere.
curl -k -u 'admin:<NSX_admin_Password>' -X DELETE https://<NSX_Manager>/policy/api/v1/infra/certificates/<Certificate_ID> -H "X-Allow-Overwrite:true"
- Restart the NCP pod. NCP can be restarted by either touching NCP deployment or deleting NCP pod. This is required to sync the NCP certificate cache and will prevent the stale certificate from being referenced in future L7 VirtualServer creation calls.