Using Multiple Google Managed Certificate with single Kubernetes Ingress
If you are not aware of it, Google cloud platform recently have released managed SSL certificate. It is a quite cool feature wherein the SSL certificates are obtained as well as managed by Google cloud platform and these SSL certificates can be incorporated with kubernetes ingress and GKE. Well, it would be even cooler to integrate the kubernetes ingress with multiple certificates.
So let's get started with it.
Just for the sake of keeping this brief, we are going to use google cloud commands to create our GCP resources.
gcloud beta container --project "searce-playground" clusters create "multiple-ssl-cluster" --zone "us-central1-a" --cluster-version "1.12.7-gke.10" --machine-type "custom-2-4096" --image-type "COS" --disk-type "pd-standard" --disk-size "100"
Note: Managed certificates require clusters with masters running Kubernetes 1.12.6-gke.7 or higher and for Regional Clusters, you will need 1.12.7-gke.17
- You must own a domain name.
- reserved (static) external IP address on google cloud.
gcloud compute addresses create web-static-ip --global
you can check the static IP created using the following command
gcloud compute addresses describe web-static-ip --global
This IP address needs to be configured in your domain’s DNS records.
Once you are all set with the prerequisites, we can start with deploying the resources:
I am going to use a sample deployment with two containers running into for this demo:
Expose this deployment using a NodePort:
Time to create these resources:
kubectl apply -f sample-deployment.yaml
kubectl apply -f sample-service.yaml
For this demo, I am going to use two domains i.e abc.searce.tk and xyz.searce.tk and therefore would be creating two certificates for both the domain.
Let us apply these as well:
kubectl create -f abc-cert.yaml
kubectl create -f xyz-cert.yaml
You can check the certificate resources using the following command:
kubectl get managedcertificate.networking.gke.io
Now that we are ready with our Managed Certificates, Let us create the ingress resource.
- We are going to use the annotations to set the name of the certificates, as we are using multiple certificates we are going to specify them using comma-separated values.
Google cloud documentation does not specify how to serve multiple google managed SSL certificates from the same ingress or how to specify them in the ingress yaml.
- The static IP reserved initially would also be used by the Ingress through the annotations as well.
Create the ingress:
kubectl apply -f ingress.yaml
Check the ingress created:
kubectl get ingress
Ingress would consume a good amount of time to have the GCP load balancing functioning as you can see below.
Once everything is in place, you can browse the hostnames and the contents will be served with the SSL certificates.
And that's it!!! we have multiple google managed SSL certificates serving from a single kubernetes Ingress.
Hope this was useful.