Category: Kubernetes

Kubernetes

Automated certificates with HTTPS Ingress on GKE and google-managed…

Ok, why this guide? There are lots of ways of automating HTTPS on Kubernetes and some apply on GKE. I was already a bit put off by cert-manager not being official/supported and when it appeared it wouldn’t work at all with godaddy as DNS provider I went digging and found this:

https://github.com/GoogleCloudPlatform/gke-managed-certs

It seemed promising and very much what I was looking for. The caveats of paying for google to manage certificates and paying for a load balancer per namespace (as is the case for ingress-linked load balancers) are both fine. It turns out that this solution has no complete documentation or examples – but it does seem to work well.

TL;DR: Readme for 3 examples available here: https://github.com/kribor/gke-managed-certs-example

How does it work?

Basically you need:

  • A GKE cluster (tested on 1.11.6) with admin access and IAM admin access
  • One or more domains for which you can set DNS records
  • Basic kubernetes knowledge

Solution is based on:

  • Custom Controller – Monitors your cluster for certificates and ingresses matching those to automatically provision certificates using compute API
  • Custom Resource Definitions (CRDs) – “certificates”
  • NodePort Services and google load balancer backed ingresses with static IPs

Example 1

The first example goes through the process of installing the controller including the mainly undocumented requirements of replacing the node pool running your nodes with one that has compute engine API admin rights (you probably don’t want to use this node pool for all your workload for security reasons) – and – creating some clusterrolebindings.

It is pretty in-depth, explaining the process and some of the things that can go wrong.

Ready to jump in? Example1: here: https://github.com/kribor/gke-managed-certs-example

Example 2

Example 2 takes it beyond the basics and describes how to share a load balancer/ingress in a namespace with different services and domain names

Example 3

Example 3 goes on to a second namespace – controller and CRDs are global and don’t need any changes but a separate IP/ingress/load balancer is required.

Troubleshooting

For some reason logs from the controller are not logged to system out, meaning they wont show up in stackdriver. It does have some useful logs if things go wrong though, you just need to jump through some hoops to get them – described at the bottom of the readme:

https://github.com/kribor/gke-managed-certs-example