SSL Certificates using Google Managed Certificate on GKE

Balkrishna Pandey
Dec 14, 2019 · 3 min read

Note: Managed certificates require clusters with masters running Kubernetes 1.12.6-gke.7 or higher.

Photo: Dead Horse Point State Park

Image for post
Dead Horse Point State Park

In goglides.com we started allowing users to map custom domain names to Tenants URL also. One of the challenges we were facing initially when we started implementing solutions is how to issue an SSL certificate for the custom domain name automatically so that we can establish a secure connection for Tenants.

Issuing and managing a certificate is not a trivial task, especially if you are trying to build the solutions from scratch. Luckily, Goglides is running on Kubernetes so it became trivial to implement a solution.

There are so many ways we can issue certificates, in this blog we are focusing on K8S cluster running on Google (GKE) using a custom resource called ManagedCertificate and ingress rules.

Clarifying Terms

Before we jump into solutions, let’s start with explaining some of the technology we are using here,

Ingress

As per the official definition, Ingress is an,

API object that manages external access to the services in a cluster, typically HTTP. Ingress can provide load balancing, SSL termination, and name-based virtual hosting

One of the main use cases of ingress is, it allows users to access Kubernetes services from outside the Kubernetes cluster.

Ingress has 2 parts, ingress controller (there are many controllers) and ingress rules. We create ingress rules and we need a controller that satisfies and process those rules. Only applying ingress rules does not affect the cluster.

Google-managed SSL certificate

Managed Certificate is a Custom Resource object created by google. This CRD allows users to automatically acquire an SSL certificate from a Certificate Authority, configure certificate on the load balancer and auto-renew it on time when it’s expired.

The process is super simple and users only need to provide a domain for which they want to obtain a certificate.

Prerequisites

  • You must own the domain name and name must be no longer than 63 characters. In this example, we are going to use a subdomain (gke.goglides.com)
  • Create a reserved (static) external IP address using the following command, or use google console. Here I am using `gke-goglides-static-ip` as IP address identifier which we are going to use later. It can be anything.
gcloud compute addresses create gke-goglides-static-ip --globalgcloud compute addresses \
describe gke-goglides-static-ip --global \
--format='value(address)'

Add DNS A-record with static IP address

Create DNS record ahead so that google certificate authority can validate ownership of the domain, issue certificates and attached it to load balancer using managed certificate features.

Setting up the managed certificate in GKE

Now, let's start with creating Kubernetes resources.

Create Managed Certificate

You can check the status of a certificate using the following command

kubectl describe managedcertificate gke-goglides-certificate

Create Deployment

Create a Service Object

Create Ingress

This took ~10–20min to become active.

Verify that SSL is working by visiting your domain using the https:// prefix.

curl https://gke.goglides.com

You should see the following outputs.

</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Goglides

Goglides allow travel and tourism company to create website…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store