Google Managed SSL Certificates on Kubernetes

Prerequisites: This overview provides a straightforward path for installing Google-managed SSL Certificates on your GKE-hosted application. This assumes you've created a Deployment which runs your uploaded Docker image. It also assumes you have the gcloud command-line tool installed as we'll be working with that to perform our network configurations right from our terminal.

SSL Certificate deployments can range from a simple certbot to a managed wildcard certificate with manual installation. For a Google Cloud hosted application on Kubernetes, you can certainly install and manage your own certificates through the platform, or you can use a Google-managed SLL certificate which will manage the provisioning and autorenewal for you. It's actually extremely easy to do:

managed-cert.yml

apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
    name: myCert
spec:
    domains:
        - myDomain.com

Create the cert

kubectl apply -f managed-cert.yml

Note the only downside is that only one domain name is permitted for each Google-managed SSL certificate.

That's it, your SSL certificate is now registered with a domain in the Google Cloud. Next we'll attribute the certificate to an Ingress service which will route our traffic for our domain. We use an Ingress object to define route mapping rules for routing HTTP and HTTPS traffic. It essentially creates an HTTPS load balancer to route all our traffic to the appropriate services.

We'll eventually want our domain hitting a static IP address so we'll reserve one and name it something we can reference:

gcloud compute addresses create myApp-ip --global

You can reference this IP through gcloud compute addresses describe myApp-ip --global or you can navigate to VPC Console / External IP addresses and find the IP listed as Static. You can now point your DNS A Record to this IP address, however we'll need to create an Ingress object to map our HTTP and HTTPS traffic.

Before we create our Ingress, we'll be creating a NodePort which provides a gateway port between our public-facing Ingress controller to our cluster's application. A NodePort is, in Google terminology, a Service which simply connects one pod to another. Depending on what port our application is listening on, we can map it to our Ingress via a NodePort. Our NodePort can map directly to our Workload and the cluster will autoscale accordingly.

nodeport.yml

apiVersion: v1
kind: Service
metadata:
    name: myApp-service
spec:
    type: NodePort
    selector:
        app: myApp-workload
    ports:
        - name: myApp-port
          protocol: TCP
          port: 80
          targetPort: 5000

Create the NodePort

kubectl apply -f nodeport.yml

The targetPort is whatever port our application is listening on. Because our Ingress will route traffic on port 80, we'll perform the mapping as such. Lastly, we'll configure the Ingress object which will tie this all together.

ingress.yml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myApp-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: showcase-mde-static
    networking.gke.io/managed-certificates: moviedecisionengine
spec:
  rules:
    - host: myDomain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: myApp-service
              servicePort: myApp-port

kubectl apply -f ingress.yml

This is exciting. We've deployed our Ingress object and we're ready to check the provisioning status of our SSL certificate.

kubectl describe managedcertificate myCert

It may take up to 15 minutes for our SSL certificate to be provisioned on the server.