将 cert-manager 证书移动到另一个 Kubernetes 集群

Question

I'm in the process of moving web services from one Kubernetes cluster to another. The goal is to do that without service interruption.

This is difficult with cert-manager and HTTP challenges, because cert-manager on the new cluster can only retrieve a certificate once the DNS entry points to that cluster. However, if I switch the DNS entry to the new cluster, clients will potentially talk to the new cluster before a valid certificate has been generated. This is like a chicken-and-egg problem.

How do I move the cert-manager certificates to the new cluster, so that it already has the certs once I make the DNS switch?

Answer 1

Certificates are stored in Kubernetes secrets. Cert-manager will pick up existing secrets instead of creating new ones, if the secret matches the ingress object.

So assuming that the ingress object looks the same on both clusters, and that the same namespace is used, copying the secret is as simple as this:

kubectl --context OLD_CLUSTER -n NAMESPACE get secret SECRET_NAME --output yaml \
  | kubectl --context NEW_CLUSTER -n NAMESPACE apply -f -

• Replace OLD_CLUSTER and NEW_CLUSTER with the kubectl context names of the respective clusters (see kubectl config get-contexts ).
• Replace SECRET_NAME with the name of the secret where the certificate is stored. This name can be found in the ingress.
• Replace NAMESPACE with the actual namespace that you're using.

The command simply exports the secret in YAML format, and then uses kubectl apply -f to create the same resource in the new cluster.

Once the ingress is in place on the new cluster, you can verify that the cert works by using openssl s_client :

openssl s_client -connect CLUSTER_IP:443 -servername SERVICE_DNS_NAME 

Again, replace CLUSTER_IP and SERVICE_DNS_NAME accordingly.