Skip to content

Instantly share code, notes, and snippets.

@pydevops

pydevops/gke-ingress-manged-tls.md

Last active August 10, 2023 09:20
Show Gist options
  • Star 13 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save pydevops/c67870b567bb9b4e07b440e0a01c913b to your computer and use it in GitHub Desktop.
Save pydevops/c67870b567bb9b4e07b440e0a01c913b to your computer and use it in GitHub Desktop.
Download ZIP
Create a GCP managed TLS certificate for the GKE ingress
Raw
gke-ingress-manged-tls.md

GKE ingress in a nutshell

Solution #1 (ManagedCertificate CRD in GKE)

  • GKE with Google-managed SSL certificates
    • Use ManagedCertificate CRD to create a object.
    • Associate the ManagedCertificate object to an Ingress by adding an annotation networking.gke.io/managed-certificates to the Ingress. This annotation is a comma-separated list of ManagedCertificate resources, cert1,cert2,cert3 for example.

Solution #2 (Google Cloud SSL Certificate)

Assumption

Assumes you are using the default L7 GLBC ingress controller. default for GKE cluster.

create a certficate

gcloud compute ssl-certificates create ci-example --domains ci.example.com

list a certifcate

gcloud compute ssl-certificates list

checking certificate provisoning status

gcloud compute ssl-certificates describe ci-example

Please note with a correct configuration the total time for provisioning certificates is likely to take from 30 to 60 minutes.

configure the GKE ingress with a preshared cert

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ci
  namespace: ci
  annotations:
    ingress.gcp.kubernetes.io/pre-shared-cert: 'ci-example'
spec:
  backend:
    serviceName: jenkins-ui
    servicePort: 8080

ingress.gcp.kubernetes.io/pre-shared-cert is used by ingress-gce

Solution # 3 (k8s secrets)

kubectl create secret tls ci-example \
    --cert ci-example.pem --key ci-example-key.pem

SNI with multiple certficates

@nsainaney
Copy link

I tried solution 2 however, I kept getting FAILED_NOT_VISIBLE because you have to create a google_compute_target_ssl_proxy or a google_compute_target_https_proxy according to the (Use Google-managed SSL certificates)[https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs] guide. I wanted all routes defined in the Ingress and don't have access in k8s to the backend service generated in gcloud

@pydevops
Copy link
Author

pydevops commented Apr 3, 2023

@nsainaney The gist is written in 2018 and probably out of date by now.

@nsainaney
Copy link

Thanks @pydevops, nonetheless, it was quite helpful. I thought I'd leave a note to others if they get stuck with option 2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment