Script updates CLB type ingress Certificate in tke cluster

Usually we tke Carry out inside 7 Layer service exposure , It can be used nginx ingress and clb Type of ingress, If you use it clb type ingress, Need to be in tke This way secret Configure the certificate on Tencent cloud , When your certificate expires or does not exist , Configuration error , It can lead to ingress Synchronize rules to clb Failure , As a result, an exception occurs when accessing the domain name , At this time, we need to be right in tke This update ingress Certificate id To solve this problem .

Let's use a simple script to update with one click ingress Certificate id.

Script one click Update ingress The certificate must have the following conditions

• from https://console.cloud.tencent.com/ssl Obtain correct and valid certificates id
• The client machine can use kubectl Access cluster

When the above conditions are met , Here we only need to copy the following script to the corresponding machine for execution ,update-ingress-certificate-id.sh The script is as follows

Script tips ：shell Introduce variables in single quotation marks , You only need to embed single quotation marks inside single quotation marks to use variables

#!/bin/bash

ingress_name=$1
ns=$2
certificate_id=$3

if [ $# = 0 ];then
  echo "Run 'sh update-ingress-certificate-id.sh --h' for more information on a command."
fi

if [[ $1 = "--h" ]];then
  echo "Please enter the first parameter is the name of ingress, the second parameter is the namespace, and the third parameter is the certificate id.

Usage: sh update-ingress-certificate-id.sh [ingress_name] [namespace] [certificate_id]"
fi

main(){

secret_name=`kubectl get ingress -n $ns $ingress_name -o=jsonpath='{.spec.tls[*].secretName}'`

base64_result=`echo -n $certificate_id | base64`

kubectl patch secret $secret_name -n $ns --type='json' -p='[{"op": "replace", "path": "/data/qcloud_cert_id", "value":'$base64_result'}]'

}

if [ $# = 3 ];then

main

fi

Let's test the script , Suppose I want to update the correct Certificate id yes lI7vOSLM, First look at the present secret Certificate id How much is the

[[email protected] script]# kubectl get ingress -n ingress-test test-ingress -o=jsonpath='{.spec.tls[*].secretName}'
grpc-leq8zgsw
[[email protected] script]# kubectl get secret grpc-leq8zgsw -o=jsonpath='{.data.qcloud_cert_id}' -n ingress-test | base64 -d
lEq8zGsW

current ingress certificate id yes lEq8zGsW, Let's update it with a script

[[email protected] script]# sh -x  update-ingress-certificate-id.sh test-ingress ingress-test lI7vOSLM
+ ingress_name=test-ingress
+ ns=ingress-test
+ certificate_id=lI7vOSLM
+ '[' 3 = 0 ']'
+ [[ test-ingress = \-\-\h ]]
+ '[' 3 = 3 ']'
+ main
++ kubectl get ingress -n ingress-test test-ingress '-o=jsonpath={.spec.tls[*].secretName}'
+ secret_name=grpc-leq8zgsw
++ base64
++ echo -n lI7vOSLM
+ base64_result=bEk3dk9TTE0=
+ echo bEk3dk9TTE0=
bEk3dk9TTE0=
+ kubectl patch secret grpc-leq8zgsw -n ingress-test --type=json '-p=[{"op": "replace", "path": "/data/qcloud_cert_id", "value":bEk3dk9TTE0=}]'
secret/grpc-leq8zgsw patched

The script has been updated successfully , We get the certificate id, See if the certificate is correct idlI7vOSLM

[[email protected] script]# kubectl get ingress -n ingress-test test-ingress -o=jsonpath='{.spec.tls[*].secretName}'
grpc-leq8zgsw
[[email protected] script]# kubectl get secret grpc-leq8zgsw -o=jsonpath='{.data.qcloud_cert_id}' -n ingress-test | base64 -d
lI7vOSLM

From the results obtained , here ingress The certificate has been successfully updated to lI7vOSLM.