Member-only story
Google Cloud Platform
TLS Configuration in GKE the (really) simple way
Using GCP Managed Certificates for SSL Termination for GKE
We all know that our websites and API’s should be served using TLS/HTTPS, right? The problem is, historically that’s meant the pain of OpenSSL, CSR’s, X.509 digital certificates, and a whole heap of operations overheads. Plus, of course, the cost of all those certificates your enterprise needed added up quickly. And then, the inevitable downtime when someone missed an expired certificate. If big players like Microsoft and LinkedIn can get it wrong, what chance do the regular guys have?
The good news is, assuming you’re working with GKE as your container orchestrator there’s now a really simple option to manage the certificates providing TLS for your ingresses. And better yet, you end up with high quality certificates for free! So there really is no reason not to go all in on TLS.
Note: this is the simplest option for GKE, but if you are using another K8s environment like Azure AKS, or a private K8s cluster, you can get similar features from the Cert-Manager project. It’s a little more work to set up, but well worth it!
Requirements
There are a few basic requirements your cluster needs to fulfil for the approach here to work.
- Your cluster needs to at Kubernetes v1.10 or greater
- You need to be using the default GKE Ingress, that provision a Google Cloud Load Balancer
If you can’t match all of these, don’t worry; it’ll be a little tougher, but the Managed Certificated that Google Cloud Platform provides can always be set up by hand — I’ll cover that another time. For now, let’s assume that you’re cool with these requirements, and get our cluster ready to go.
Cluster Preparation
To get the cluster ready, we need to add a Custom Resource Definition to manage our certificates, and some code to handle the integration with LetsEncypt, who will handle providing the certificates.
The install is pretty straight forward, first clone Git repo containing the deployment scripts. Navigate to the deploy folder, and with kubectl…
