Using Multiple Google Managed Certificate with single Kubernetes Ingress

If you are not aware of it, Google cloud platform recently have released managed SSL certificate. It is a quite cool feature wherein the SSL certificates are obtained as well as managed by Google cloud platform and these SSL certificates can be incorporated with kubernetes ingress and GKE. Well, it would be even cooler to integrate the kubernetes ingress with multiple certificates.

So let's get started with it.

Just for the sake of keeping this brief, we are going to use google cloud commands to create our GCP resources.

gcloud beta container --project "searce-playground" clusters create "multiple-ssl-cluster" --zone "us-central1-a"  --cluster-version "1.12.7-gke.10" --machine-type "custom-2-4096" --image-type "COS" --disk-type "pd-standard" --disk-size "100"

Note: Managed certificates require clusters with masters running Kubernetes 1.12.6-gke.7 or higher and for Regional Clusters, you will need 1.12.7-gke.17

Prerequisites

  • You must own a domain name.
  • reserved (static) external IP address on google cloud.
gcloud compute addresses create web-static-ip --global

you can check the static IP created using the following command

gcloud compute addresses describe web-static-ip --global

This IP address needs to be configured in your domain’s DNS records.


Once you are all set with the prerequisites, we can start with deploying the resources:

I am going to use a sample deployment with two containers running into for this demo:

Expose this deployment using a NodePort:

GKE consumes around 5 to 7 minutes to configure the HTTP(S) load balancer

Time to create these resources:

kubectl apply -f sample-deployment.yaml
deployment.apps/my-mc-deployment created
kubectl apply -f sample-service.yaml
service/my-mc-service created

Managed Certificates

For this demo, I am going to use two domains i.e abc.searce.tk and xyz.searce.tk and therefore would be creating two certificates for both the domain.

managed certificate for the domain abc.searce.tk
managed certificate for the domain xyz.searce.tk

Let us apply these as well:

kubectl create -f abc-cert.yaml
managedcertificate.networking.gke.io/example-certificate-abc created
kubectl create -f xyz-cert.yaml
managedcertificate.networking.gke.io/example-certificate-xyz created

You can check the certificate resources using the following command:

kubectl get managedcertificate.networking.gke.io

Kubernetes Ingress

Now that we are ready with our Managed Certificates, Let us create the ingress resource.

  • We are going to use the annotations to set the name of the certificates, as we are using multiple certificates we are going to specify them using comma-separated values.
Google cloud documentation does not specify how to serve multiple google managed SSL certificates from the same ingress or how to specify them in the ingress yaml.
  • The static IP reserved initially would also be used by the Ingress through the annotations as well.

Create the ingress:

kubectl apply -f ingress.yaml

Check the ingress created:

kubectl get ingress
ingress consists of both the host abc.searce.tk and xyz.searce.tk

Ingress would consume a good amount of time to have the GCP load balancing functioning as you can see below.

From google cloud documentation

Once everything is in place, you can browse the hostnames and the contents will be served with the SSL certificates.

abc.searce.tk
xyz.searce.tk

And that's it!!! we have multiple google managed SSL certificates serving from a single kubernetes Ingress.

Hope this was useful.