Google Managed SSL Certificates on Kubernetes
Alex Vallejo
Posted on March 7, 2022
Google Managed SSL Certificates on Kubernetes
Prerequisites: This overview provides a straightforward path for installing Google-managed SSL Certificates on your GKE-hosted application. This assumes you've created a Deployment which runs your uploaded Docker image. It also assumes you have the gcloud command-line tool installed as we'll be working with that to perform our network configurations right from our terminal.
SSL Certificate deployments can range from a simple certbot to a managed wildcard certificate with manual installation. For a Google Cloud hosted application on Kubernetes, you can certainly install and manage your own certificates through the platform, or you can use a Google-managed SLL certificate which will manage the provisioning and autorenewal for you. It's actually extremely easy to do:
managed-cert.yml
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: myCert
spec:
domains:
- myDomain.com
Create the cert
kubectl apply -f managed-cert.yml
Note the only downside is that only one domain name is permitted for each Google-managed SSL certificate.
That's it, your SSL certificate is now registered with a domain in the Google Cloud. Next we'll attribute the certificate to an Ingress service which will route our traffic for our domain. We use an Ingress object to define route mapping rules for routing HTTP and HTTPS traffic. It essentially creates an HTTPS load balancer to route all our traffic to the appropriate services.
We'll eventually want our domain hitting a static IP address so we'll reserve one and name it something we can reference:
gcloud compute addresses create myApp-ip --global
You can reference this IP through gcloud compute addresses describe myApp-ip --global
or you can navigate to VPC Console / External IP addresses
and find the IP listed as Static. You can now point your DNS A Record to this IP address, however we'll need to create an Ingress object to map our HTTP and HTTPS traffic.
Before we create our Ingress, we'll be creating a NodePort which provides a gateway port between our public-facing Ingress controller to our cluster's application. A NodePort is, in Google terminology, a Service which simply connects one pod to another. Depending on what port our application is listening on, we can map it to our Ingress via a NodePort. Our NodePort can map directly to our Workload and the cluster will autoscale accordingly.
nodeport.yml
apiVersion: v1
kind: Service
metadata:
name: myApp-service
spec:
type: NodePort
selector:
app: myApp-workload
ports:
- name: myApp-port
protocol: TCP
port: 80
targetPort: 5000
Create the NodePort
kubectl apply -f nodeport.yml
The targetPort
is whatever port our application is listening on. Because our Ingress will route traffic on port 80, we'll perform the mapping as such. Lastly, we'll configure the Ingress object which will tie this all together.
ingress.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myApp-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: showcase-mde-static
networking.gke.io/managed-certificates: moviedecisionengine
spec:
rules:
- host: myDomain.com
http:
paths:
- path: /
backend:
serviceName: myApp-service
servicePort: myApp-port
kubectl apply -f ingress.yml
This is exciting. We've deployed our Ingress object and we're ready to check the provisioning status of our SSL certificate.
kubectl describe managedcertificate myCert
It may take up to 15 minutes for our SSL certificate to be provisioned on the server.
Posted on March 7, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.