Where do I create google-managed SSL certificate for kubernetes cluster deployment?

ssl-certificate google-kubernetes-engine

I'm trying to set up SSL on my site. I deployed to an autopilot kubernetes cluster. I have a domain through Google Domains which has DNS pointing to my kubernetes exposed ip with an A record. I've found at least two different places in GCP so far that seem to guide me through creating a Google-managed SSL cert, but neither of them is working. One is through app engine, I don't believe that's what I need to use. The other is through Network Services -> Load balancing. I'm starting to think that is also not what I should be using. Where do I go?


Solution 1:

One is through app engine, I don't believe that's what I need to use.

You're right, it's definitely the wrong direction. As you don't use the App Engine but Kubernetes Engine it's not the part of the docs you're interested in.

You should start with this article in the official GCP Docs and the missing piece of the puzzle is an Ingress resource, you need to create to expose your app externally. As you can see it's part of Google Kubernetes Engine docs:

Google Kubernetes Engine (GKE) > Documentation > Guides

As you can read in the above mentioned article:

Note: This feature is only available with Ingress for External HTTP(S) Load Balancing.

about which you can read more in this section.

As everything is nicely described in the docs, I only emphasize here the key points.

First, check your GKE version and make sure you use the correct API version to create ManagedCertificate custom resource:

You configure Google-managed SSL certificates using a ManagedCertificate custom resource, which is available in different API versions, depending on your GKE cluster version:

  • ManagedCertificate v1beta2 API is available in GKE cluster versions 1.15 and later.
  • ManagedCertificate v1 API is available in GKE cluster versions 1.17.9-gke.6300 and later.

Although GKE clusters currently support ManagedCertificate v1beta1 API, this API version is deprecated and will be removed in future GKE versions. It's recommended that you use a newer API version.

In essence, creating an Ingress with a Google-managed certificate comes down to these two basic steps:

  • Create a ManagedCertificate object.
  • Associate the ManagedCertificate object to an Ingress by adding an annotation networking.gke.io/managed-certificates to the Ingress. This annotation is a comma-separated list of ManagedCertificate resources, cert1,cert2,cert3 for example.

which is described in detail here.

Also pay special attention to prerequisites:

  • You must own the domain name. The domain name must be no longer than 63 characters. You can use Google Domains or another registrar.

This one you've already met.

  • Your "kubernetes.io/ingress.class" must be "gce".
  • Create a reserved (static) external IP address. Reserving a static IP address guarantees that it remains yours, even if you delete the Ingress. If you do not reserve an address, it may change requiring you to reconfigure your domain's DNS records. Use gcloud command-line tool or the Cloud Console to create a reserved IP address.

The last one is particularly important, if you don't want to reconfigure your domain at a later point in time.

Related

Accessing VM from Google Cloud Function
Orchestrator is not available with fresh Rook instance
How to configure a DNS server by YAST2
Restore of mysql dump looks different on ubuntu 20.04
How to get the nearest subdirectory of a file as output in PowerShell?
server room specification standards
EC2: Relatively small network out spikes cause 100% CPU usage
How to reinstall or download the original Ubuntu icons folder?
How To Uninstall ProtonVPN
How to remove "Secure Boot chain-loading bootloader (Microsoft-signed binary) "?
New install desktop Ubuntu 19.04 shows error message: ucsi_ccg 0-0008: failed to reset PPM!
Qualcomm Atheros weak Wifi signal on Ubuntu 18.04