Migrate kubernetes environments without interruption

Hello,

I am in the process of migrating a kubernetes cluster from Google to AWS. My environment is stable and working with all services using let's encrypt certificates with nginx and cert-manager.

I use helm to deploy my apps and the problem I am facing is: how can I deploy my apps on my new kubernetes environment while the IP addresses are not yet pointing to this new environment? My issuer is the following:

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: my-issuer
  namespace: ns
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: dev@domain.com
    privateKeySecretRef:
      name: my-issuer
    solvers:
    - selector: {}
      http01:
        ingress:
          class: nginx

If I try to deploy the ingress on the new environment with the address (which is currently pointing to the old environment), it will fail. How can I have both environment working in parallel with only one server pointed by the address? The idea is to be able to easily migrate when the new environment is set up by changing the DNS.

What is the best practice for that? I couldn't find any documentation/tuto about that.

Any help is appreciated

Hi @natcohen, welcome to the LE community forum :slight_smile:

In general, the problem can be simplified, in some cases, by using a wildcard cert.
And almost always by copying the entire contents of the ACME client (directory and cert files) from one system to another.

In the specific case of cert-manager, there may be some preferred/recommended methods.
Like: I found this on their site...

@rg305 Thanks for the quick response but I'm not sure to understand... it's supposed to work with a wildcard as an ingress.host='*.domain.com'? What should I add in the DNS? Did I understand correctly?

1 Like

The reference to wildcard was to say that it would be much easier to make the transition if all the names being covered fit into a single wildcard cert.
I don't know your specific case, but that information is there for all that may read this (later on).