https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
Special thanks to @dannyzen from Google for helping Collaborizm move to GCP. He did help with this post but neither he nor Google endorse its methods.
Currently there are two main options:
- You can create certs and add them to your ingress controller - you'll need to manage your own certs, which seems antiquated post Lets Encrypt
- Install a certificate provisioning system on your cluster such as Cert Manager - involves installing extra apps on your cluster, which you'll have to maintain and pay for
There is a third solution: Google Managed SSL Certs
- They auto renew
- Offload all SSL handling to Google's Load Balancer (which every GKE cluster uses)
- Lower infrastructure costs
Downsides:
- In beta and not covered by an SLA
- Use with GKE not fully documented (hence this guide)
Proceed with caution!!!
This guide uses an undocumented GKE annotation.
Create a new GKE project for this to not pollute anything you have in production.
Use gcloud init
to create a configuration.
If you have trouble taming your configurations check out my other repo, it's a small script to help switch configs based on a .gcloudrc file.
Clone this repo, we'll be using some YAML from it:
$ git clone [email protected]:rlancer/google-managed-certs-gke.git
$ cd gke-https
Create a Cluster, for this demo the cluster only needs one small node:
$ gcloud container clusters create https-demo-cluster --zone us-central1-c --machine-type g1-small --num-nodes 1
>>
NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS
https-demo-cluster us-central1-c 1.9.7-gke.6 35.226.141.220 n1-standard-1 1.9.7-gke.6 3 RUNNING
Connect Kubectl:
$ gcloud container clusters get-credentials https-demo-cluster --zone us-central1-c
>> kubeconfig entry generated for https-demo-cluster.
Apply configs:
$ kubectl apply -f demo-app.yaml
$ kubectl apply -f demo-svc.yaml
$ kubectl apply -f demo-ing.yaml
Get the IP address of your Ingress Controller:
Within a few minutes for the IP address should appear
$ kubectl get ingress -w
>>
NAME HOSTS ADDRESS PORTS AGE
demo-ing * 80 9s
demo-ing * 35.241.35.109 80 68s
Visit the IP address in your browser. Hit refresh if does not appear. It may as long as 10 minutes for the app to be fully available.
The app is simply outputting the name of the host it's running on.
Create the Google Managed Cert:
$ gcloud beta compute ssl-certificates create "demo-gmang-cert" --domains demo-gman.collaborizm.com
Get existing URL Maps:
There should only be one URL Map and you'll need the value under NAME when creating the target proxy in the next step
$ gcloud compute url-maps list
>>
NAME DEFAULT_SERVICE
k8s-um-default-demo-ing--3287e1f664ff7581 backendServices/k8s-be-31012--3287e1f664ff7581
Create the HTTPS Target Proxy. Make sure to sub out --url-map with your value:
$ gcloud compute target-https-proxies create https-target --url-map=URL_MAP_VALUE_FROM_ABOVE --ssl-certificates=demo-gmang-cert
>>
Created [https://www.googleapis.com/compute/v1/projects/kube-https-demo/global/targetHttpsProxies/https-target].
NAME SSL_CERTIFICATES URL_MAP
https-target demo-gmang-cert k8s-um-default-demo-ing--3287e1f664ff7581
Create a Global Static IP Address:
$ gcloud compute addresses create static-https-ip --global --ip-version IPV4
>> Created [https://www.googleapis.com/compute/v1/projects/kube-https-demo/global/addresses/static-https-ip].
Create a Global Forwarding Rule linking youre newly created IP Address:
$ gcloud compute forwarding-rules create https-global-forwarding-rule --global --ip-protocol=TCP --ports=443 --target-https-proxy=https-target --address static-https-ip
Adjust the Service to include the Target Proxy, edit demo-svc.yaml to include the target-proxy Annotation. This is undocumented, could be a bad move...
apiVersion: v1
kind: Service
metadata:
name: demo-svc
# Add this annotation
annotations:
ingress.kubernetes.io/target-proxy: https-target
spec:
type: NodePort
selector:
run: https-demo
ports:
- name: http
protocol: TCP
port: 333
targetPort: 9376
Apply the new Service:
$ kubetl apply -f demo-svc.yaml
Get the IP Address assigned to the Target Proxy:
$ gcloud compute addresses list
>>
NAME REGION ADDRESS STATUS
static-https-ip 35.227.227.95 IN_USE
Create an A Record with the IP Address (on CloudFlare we turned off proxying, hence the gray cloud)
Watch to see if your Cert has been provisioned, this could take as long as half an hour:
$ watch gcloud beta compute ssl-certificates list
>>
demo-gmang-cert MANAGED 2018-10-29T10:47:05.450-07:00 2019-01-27T09:48:20.000-08:00 ACTIVE
demo-gman.collaborizm.com: ACTIVE
Next visit https://demo-gman.collaborizm.com in your browser and you should see your GKE app running with a Google Managed Cert.
Start or join a project on Collaborizm! Our partnership with GCP could net you a few grand in credits.