Skip to content

rlancer/google-managed-certs-gke

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

UPDATE — This guide has been deprecated! Refer to:

https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs

How to use Google Managed SSL Certificates on GKE

Special thanks to @dannyzen from Google for helping Collaborizm move to GCP. He did help with this post but neither he nor Google endorse its methods.

Getting HTTPS working on GKE can be challenging

Currently there are two main options:

There is a third solution: Google Managed SSL Certs

  • They auto renew
  • Offload all SSL handling to Google's Load Balancer (which every GKE cluster uses)
  • Lower infrastructure costs

Downsides:

  • In beta and not covered by an SLA
  • Use with GKE not fully documented (hence this guide)

Proceed with caution!!!

This guide uses an undocumented GKE annotation.

Part 1 · Setup a Cluster

Create a new GKE project for this to not pollute anything you have in production.

Use gcloud init to create a configuration. If you have trouble taming your configurations check out my other repo, it's a small script to help switch configs based on a .gcloudrc file.

Clone this repo, we'll be using some YAML from it:

$ git clone [email protected]:rlancer/google-managed-certs-gke.git
$ cd gke-https

Create a Cluster, for this demo the cluster only needs one small node:

$ gcloud container clusters create https-demo-cluster --zone us-central1-c --machine-type g1-small --num-nodes 1

>>
NAME                LOCATION       MASTER_VERSION  MASTER_IP       MACHINE_TYPE   NODE_VERSION  NUM_NODES  STATUS
https-demo-cluster  us-central1-c  1.9.7-gke.6     35.226.141.220  n1-standard-1  1.9.7-gke.6   3          RUNNING

Connect Kubectl:

$ gcloud container clusters get-credentials https-demo-cluster --zone us-central1-c 

>> kubeconfig entry generated for https-demo-cluster.

Apply configs:

$ kubectl apply -f demo-app.yaml
$ kubectl apply -f demo-svc.yaml
$ kubectl apply -f demo-ing.yaml

Get the IP address of your Ingress Controller:

Within a few minutes for the IP address should appear

$ kubectl get ingress -w 

>>  
NAME       HOSTS    ADDRESS             PORTS       AGE
demo-ing   *                            80          9s
demo-ing   *        35.241.35.109       80          68s

Visit the IP address in your browser. Hit refresh if does not appear. It may as long as 10 minutes for the app to be fully available.

The app is simply outputting the name of the host it's running on.

host name app running on HTTP

Part 2 · Hook up the Google Managed Cert

Create the Google Managed Cert:

$ gcloud beta compute ssl-certificates create "demo-gmang-cert" --domains demo-gman.collaborizm.com

Get existing URL Maps:

There should only be one URL Map and you'll need the value under NAME when creating the target proxy in the next step

$ gcloud compute url-maps list

>>
NAME                                       DEFAULT_SERVICE
k8s-um-default-demo-ing--3287e1f664ff7581  backendServices/k8s-be-31012--3287e1f664ff7581

Create the HTTPS Target Proxy. Make sure to sub out --url-map with your value:

$ gcloud compute target-https-proxies create https-target --url-map=URL_MAP_VALUE_FROM_ABOVE --ssl-certificates=demo-gmang-cert

>> 
Created [https://www.googleapis.com/compute/v1/projects/kube-https-demo/global/targetHttpsProxies/https-target].

NAME          SSL_CERTIFICATES  URL_MAP
https-target  demo-gmang-cert   k8s-um-default-demo-ing--3287e1f664ff7581

Create a Global Static IP Address:

$ gcloud compute addresses create static-https-ip --global --ip-version IPV4

>> Created [https://www.googleapis.com/compute/v1/projects/kube-https-demo/global/addresses/static-https-ip].

Create a Global Forwarding Rule linking youre newly created IP Address:

$ gcloud compute forwarding-rules create https-global-forwarding-rule --global --ip-protocol=TCP --ports=443 --target-https-proxy=https-target --address static-https-ip 

Adjust the Service to include the Target Proxy, edit demo-svc.yaml to include the target-proxy Annotation. This is undocumented, could be a bad move...

apiVersion: v1
kind: Service
metadata:
  name: demo-svc
  # Add this annotation
  annotations:
    ingress.kubernetes.io/target-proxy: https-target
spec:
  type: NodePort
  selector:
    run: https-demo
  ports:
  - name: http
    protocol: TCP
    port: 333
    targetPort: 9376

Apply the new Service:

$ kubetl apply -f demo-svc.yaml

Get the IP Address assigned to the Target Proxy:

$ gcloud compute addresses list
 
>>
NAME             REGION  ADDRESS        STATUS
static-https-ip          35.227.227.95  IN_USE

Create an A Record with the IP Address (on CloudFlare we turned off proxying, hence the gray cloud)

dns entry CloudFlare

Watch to see if your Cert has been provisioned, this could take as long as half an hour:

$ watch gcloud beta compute ssl-certificates list

>>
demo-gmang-cert  MANAGED  2018-10-29T10:47:05.450-07:00  2019-01-27T09:48:20.000-08:00  ACTIVE
    demo-gman.collaborizm.com: ACTIVE

Next visit https://demo-gman.collaborizm.com in your browser and you should see your GKE app running with a Google Managed Cert.

successful

Interested in Google Cloud Platform?

Start or join a project on Collaborizm! Our partnership with GCP could net you a few grand in credits.

About

DEPRECATED: How to use Google Managed SSL Certificates on GKE

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published