Blog was originally published on medium (https://medium.com/goglides/ssl-certificates-using-google-managed-certificate-on-gke-c4bc43f5cbf2)
Note: Managed certificates require clusters with masters running Kubernetes 1.12.6-gke.7 or higher.
In goglides.com we started allowing users to map custom domain names to Tenants URL also. One of the challenges we were facing initially when we started implementing solutions is how to issue an SSL certificate for the custom domain name automatically so that we can establish a secure connection for Tenants.
Issuing and managing a certificate is not a trivial task, especially if you are trying to build the solutions from scratch. Luckily, Goglides is running on Kubernetes so it became trivial to implement a solution.
There are so many ways we can issue certificates, in this blog we are focusing on K8S cluster running on Google (GKE) using a custom resource called ManagedCertificate and ingress rules.
Clarifying Terms
Before we jump into solutions, let’s start with explaining some of the technology we are using here,
Ingress
As per the official definition,
Ingress is an, API object that manages external access to the services in a cluster, typically HTTP. Ingress can provide load balancing, SSL termination, and name-based virtual hosting.
One of the main use cases of ingress is, it allows users to access Kubernetes services from outside the Kubernetes cluster.
Ingress has 2 parts, ingress controller (there are many controllers) and ingress rules. We create ingress rules and we need a controller that satisfies and process those rules. Only applying ingress rules does not affect the cluster.
Google-managed SSL certificate
Managed Certificate is a Custom Resource object created by google. This CRD allows users to automatically acquire an SSL certificate from a Certificate Authority, configure certificate on the load balancer and auto-renew it on time when it’s expired.
The process is super simple and users only need to provide a domain for which they want to obtain a certificate.
Prerequisites
- You must own the domain name and name must be no longer than 63 characters. In this example, we are going to use a subdomain (gke.goglides.com)
- Create a reserved (static) external IP address using the following command, or use google console. Here I am using
gke-goglides-static-ip
as IP address identifier which we are going to use later. It can be anything.
gcloud compute addresses create gke-goglides-static-ip --global gcloud compute addresses \ describe gke-goglides-static-ip --global \ --format='value(address)'
Add DNS A-record with static IP address
Create DNS record ahead so that google certificate authority can validate ownership of the domain, issue certificates and attached it to load balancer using managed certificate features.
Setting up the managed certificate in GKE
Now, let’s start with creating Kubernetes resources.
- Create Managed Certificate
cat <<EOF | kubectl apply -f - --- apiVersion: networking.gke.io/v1beta1 kind: ManagedCertificate metadata: name: gke-goglides-certificate spec: domains: - gke.goglides.com EOF
You can check the status of a certificate using the following command
kubectl describe managedcertificate gke-goglides-certificate
- Create Deployment
cat <<EOF | kubectl apply -f - --- apiVersion: apps/v1 kind: Deployment metadata: labels: run: gke-goglides name: hello-world spec: selector: matchLabels: run: gke-goglides replicas: 1 template: metadata: labels: run: gke-goglides spec: containers: - name: hello-world image: nginx:1.15.8 ports: - containerPort: 80 protocol: TCP EOF
Create a Service Object
cat<<EOF | kubectl apply -f - --- apiVersion: v1 kind: Service metadata: labels: run: gke-goglides name: hello-world-service spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: run: gke-goglides type: NodePort EOF
Create Ingress
cat <<EOF | kubectl apply -f - --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: gke-goglides-ingress annotations: kubernetes.io/ingress.global-static-ip-name: gke-goglides-static-ip networking.gke.io/managed-certificates: gke-goglides-certificate spec: backend: serviceName: hello-world-service servicePort: 80 EOF
This took ~10–20min to become active. Verify that SSL is working by visiting your domain using the https:// prefix.
curl https://gke.goglides.com
You should see the following outputs.
</head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>