Deploying a service with HTTPS and DNS inside Google Cloud

How to use GCE to deploy an HTTPS service ?

Intro

This post is the second post of a series called Continuous Integration on Google Cloud.

This post assumes that you have already have done the first step, meaning, you have a pod and a service declared inside your Kubernetes configuration. If that is not the case, please do the first step first

https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

SSL Certificate

Create an SSL Starter certificate

https://domain-center.1and1.fr/domains-ssa/domains/index#4,sslSettings

Download Certificate, Intermediate Certificate and Private Key

Create SSL Secret

You must create a secret in order to use our SSL Certificate.

  • Go to Network services -> LoadBalancer -> Select the Ingress loadbalancer -> Edit -> Frontend Configuration.
  • Add an HTTPS frontend ip and port.
  • Select HTTPS and create the certificate using the downloaded files.
  • Insert Concat Intermediate cert and public key inside a file.
cat web_ssl_certificate_INTERMEDIATE.cer >> web_ssl_certificate.cer
kubectl delete secret web-secret
kubectl create secret tls  web-secret --key web_private_key.key --cert web_ssl_certificate.cer

Create a Static IP address

We need to link our service to a static reserved IP address in order to be able to use the DNS name.

Or, generate it using the command line:

gcloud compute addresses create web-ip

Kubernetes configuration

According to the documentation, the recommended way to expose our service using ssl is to add an INGRES gce in front of our service.

Ok, but what is Ingress?

Typically, services and pods have IPs that are only routable by the cluster network. All traffic that ends up at an edge router is either dropped or forwarded elsewhere. Conceptually, it might look like:

internet
|
------------
[ Services ]

An Ingress is a collection of rules that allows inbound connections to reach the cluster services.

internet
|
[ Ingress ]
--|-----|--
[ Services ]

It can be configured to give services externally-reachable URLs, load balance traffic, terminate SSL, offer name based virtual hosting, and more. Users request ingress by POSTing the Ingress resource to the API server. An Ingress controller is responsible for fulfilling the Ingress, usually with a loadbalancer, though it may also configure your edge router or additional frontends to help handle the traffic in an HA manner.

Got it! But how do I declare an Ingress on Google Cloud Plateform?

The easiest way to declare Ingress on Google Cloud Plateform is to use a yaml deployment file:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: peter-ingress-admin-loadbalancer
annotations:
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.global-static-ip-name: "web-ip"
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- secretName: web-secret
hosts:
- web.co
backend:
serviceName: web-service
servicePort: 80
rules:
- host: web.co
http:
paths:
- path: /test-web/*
backend:
serviceName: web-service
servicePort: 80

The important points are:

  • The ingress annotations: You have a full documentation here.
  • The tls spec that allows HTTPS.
  • The rules that allow redirection on multiple services depending onthe URL path (We have only have one service here, but you can add new ones, for example:
http:
paths:
- path: /test-web/*
backend:
serviceName: web-service
servicePort: 80
- path: /test-web-2/*
backend:
serviceName: web-service-2
servicePort: 80

And apply it:

kubectl apply -f ingress.yaml

Conclusion

You can now access to your awesome web app using https://<YOUR-DOMAIN>/test-web.