GKE Ingress with Public HTTPs Global Load Balancer¶
Imported from Confluence
Content may be outdated. Verify before following any procedures. View original | Last updated: March 2023
Summary¶
This page shows how you can use Ingress objects to create external load balancers with Google-managed SSL certificates. These certificates are Domain Validation (DV) certificates that Google provisions, renews, and manages for your domain names.
Info
A domain validated certificate (DV) is a TLS certificate where the domain name of the applicant is validated by proving some control over a DNS domain.
Steps¶
1. First you need a dedicate IP address, we do that via Terraform¶
Deployment example: appgrowthplatform (Gitlab)
Config example: appgrowthplatform (Gitlab)
~/repos/ cat direct-iac/terraform/configs/prod/external-ip-addresses/global/terragrunt.hcl
terraform {
source = "${local.common_locals.terraform_library_git_url}//deployments/external-ip-addresses/v0.0.1"
}
include {
path = find_in_parent_folders()
}
locals {
common_locals = yamldecode(file(find_in_parent_folders("common_locals.yaml")))
}
inputs = {
external_addresses = [
"test-ip"
]
}
2. Then you need to create a zone and a record in it, associated with this IP address¶
Deployment example: appgrowthplatform (Gitlab)
Config example:
~/repos/ tail -20 direct-iac/terraform/configs/prod/cloud-dns/us-east1/terragrunt.hcl
###
### TEST.FYBER.COM
###
// "test.fyber.com" = {
// name = "test"
// type = "public"
// domain = "test.fyber.com."
// recordsets = [
// {
// name = "test"
// type = "A"
// ttl = 300
// records = [
// dependency.external-ip-addresses.outputs.ip["test-ip"],
// ]
// },
// ]
// },
}
}
3. Configure DNS validation on dnsmadeeasy¶
As usual, just add NS records provided by google into dedicated form of dnsmadeeasy console.
4. Create ManagedCertificate resource in the same namespace where the application is running (we use Helm for that)¶
Example chart: appgrowthplatform (Gitlab)
Example config: appgrowthplatform (Gitlab)
~/repos/ cat direct-iac/helm/config/managed-certificates/gke-core-direct-prod-useast1/values.yaml
certificates:
- name: test-fyber-com
namespace: test
domains:
- test.fyber.com
5. Deploy Ingress with appropriate annotations¶
- Note the kubernetes.io/ingress.class: "gce" annotation - it's mandotory, since we'd like to use the embedded controller
- Use the name you set at step 1 for kubernetes.io/ingress.global-static-ip-name: "test-ip"
- Use the name you set at step 4 for networking.gke.io/managed-certificates: "test-fyber-com"
Example:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test
annotations:
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.global-static-ip-name: "test-ip"
networking.gke.io/managed-certificates: "test-fyber-com"
spec:
rules:
- host: test.fyber.com
http:
paths:
- path: /*
backend:
serviceName: test-service
servicePort: 80
6. Validate the certificate (either on GCP side or Kubernetes side)¶
~/ gcloud compute ssl-certificates list
NAME TYPE CREATION_TIMESTAMP EXPIRE_TIME MANAGED_STATUS
mcrt-f223dae8-075b-4555-a45b-ab4d9c3cf8f2 MANAGED 2023-03-01T04:14:23.492-08:00 2023-05-30T05:14:25.000-07:00 ACTIVE
test.fyber.com: ACTIVE
Extras¶
GCP side article¶
Google Cloud - How To Managed Certs
Ticket under which we've performed the initial implementation¶
DEVOPSBLN-3216