GKE: Setting up HTTP(S) on ingress using pre-shared certificate
--
Let’s get straight into the problem I found and why I decided to write this medium. I have came across some projects that I needed to use GKE (Google Kubernetes Engine) and I have a hard time finding tutorials on how to install SSL on ingress. This medium will be a short guide on how to create an ingress that uses pre-shared certificate.
Creating a Deployment
This is a simple deployment file. The deployment has three pods and each pod has one container. The container runs the image “image-name” and listens on TCP port 5000.
Creating a service
A NodePort service direct traffic to pods, it exposes the service on a static port. The selector field is used to tell that any pods that have “app: app-name” will be a member of the service.
Buy a domain
In this case, I used Google Domains to buy a domain. You can buy a domain from your preferred website.
Get a SSL certificate
To activate HTTPS protocol and allows secured connections from a server to the browser, SSL is required to be installed on the server.
There are many ways to obtain a SSL certificate. If you have problems deciding to obtain a free or a paid certificate, then you can read from this website: https://cheapsslsecurity.com/blog/free-ssl-vs-paid-ssl-certificates-why-pay-for-ssl-certificate/.
In this medium, I will be using https://freessl.org to get a certificate for my domain. So first, you need to register an account, then you can proceed to the following steps.
After that, select the free option and click on “Next step”. To verify that we are the owner of the domain, I used the option “CNAME”.
Add a CNAME record
Since I bought the domain from Google Domains. I will be adding the CNAME record there.
Simply put auth key in the first field, and auth value in the domain value. After that click add, this step might takes over 48 hours to update the record.
Verify domain ownership
Go back to the website freessl and click on verify domain to check if the verification is done. If successful, you will be able to download the certificate as a ZIP file.
Creating a global static ip
To expose application using ingress, we need to reserve a static ip for it.
gcloud compute addresses create my-app-ip --globalThis creates a global static ip address named “my-app-id”.
gcloud compute addresses describe my-app-ip --globalThe output will be the static address reserved.
Create certificate resource
Unzip the certificate folder and navigate to the folder on your laptop.
gcloud compute ssl-certificates create my-app-ingress-cer \
--certificate my-website.pem --private-key my-website.keyReplace my-website.pem and my-website.key accordingly with your certificate and key file.
gcloud compute ssl-certificates listTo view your certificate resources.
Create an ingress
- kubernetes.io/ingress.global-static-ip-name is the name of your reserved static ip
- ingress.gcp.kubernetes.io/pre-shared-cert is the name of your certificate resource created
- Replace www.my-website.page with your website.
- Replace “app-name” with your app name.
- Replace 5000 with your service port.
- The ingress will route external traffic to the service specified.
Add an A record
For the browsers to be able to query your domain name, DNS records of your domain name must be updated. You can do this by simply adding an A record to point to the static IP address that you reserved.
- First field: subdomain, ex: www
- Second field: The global static ip you reserved
You are done! If you have done the following steps, your website should be ready to go!
References
- https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#pre-shared-certs
- https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip
- https://support.google.com/domains/answer/9211383?hl=enz
- https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer
- https://cloud.google.com/kubernetes-engine/docs/concepts/ingress
