Migrate kubernetes environments without interruption

natcohen · September 13, 2021, 5:03pm

Hello,

I am in the process of migrating a kubernetes cluster from Google to AWS. My environment is stable and working with all services using let's encrypt certificates with nginx and cert-manager.

I use helm to deploy my apps and the problem I am facing is: how can I deploy my apps on my new kubernetes environment while the IP addresses are not yet pointing to this new environment? My issuer is the following:

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: my-issuer
  namespace: ns
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: dev@domain.com
    privateKeySecretRef:
      name: my-issuer
    solvers:
    - selector: {}
      http01:
        ingress:
          class: nginx

If I try to deploy the ingress on the new environment with the address (which is currently pointing to the old environment), it will fail. How can I have both environment working in parallel with only one server pointed by the address? The idea is to be able to easily migrate when the new environment is set up by changing the DNS.

What is the best practice for that? I couldn't find any documentation/tuto about that.

Any help is appreciated

rg305 · September 13, 2021, 5:14pm

Hi @natcohen, welcome to the LE community forum

In general, the problem can be simplified, in some cases, by using a wildcard cert.
And almost always by copying the entire contents of the ACME client (directory and cert files) from one system to another.

In the specific case of cert-manager, there may be some preferred/recommended methods.
Like: I found this on their site...

natcohen · September 13, 2021, 5:28pm

@rg305 Thanks for the quick response but I'm not sure to understand... it's supposed to work with a wildcard as an ingress.host='*.domain.com'? What should I add in the DNS? Did I understand correctly?

rg305 · September 13, 2021, 5:33pm

The reference to wildcard was to say that it would be much easier to make the transition if all the names being covered fit into a single wildcard cert.
I don't know your specific case, but that information is there for all that may read this (later on).

system · October 13, 2021, 5:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cert-Manager, Letsencrypt in Kubernetes not giving me a Certification Help	2	4867	April 28, 2023
Changing validation challenge from http to dns Help	1	906	December 18, 2019
When I had try to generate SSL through acme2 Help	13	1095	May 16, 2021
Issue with certificate using cert-manager Kubernetes Help	3	2007	April 29, 2020
Question about using the same account from multiple systems Issuance Tech	5	981	September 15, 2023

Migrate kubernetes environments without interruption

Related topics