2

I've been trying to test out Kubernetes on Google Cloud, but would need HTTPS/TLS (only) exposed on the deployed application. To start, I just followed this tutorial, which worked fine for plain HTTP over port 80: https://cloud.google.com/kubernetes-engine/docs/quickstart

To get TLS support working with Let's Encrypt, I've tried (without success):

... Does anyone have any suggestions on how to serve just HTTPS for the original tutorial? No need for plain HTTP unless it's a freebie, but I'm really scratching my head on this one since I haven't worked with Kubernetes before and I haven't been able to get Let's Encrypt working at all here.

Ben Guild
  • 309
  • 1
  • 3
  • 9

2 Answers2

6

So, it turns out that you can just add TLS directly on the load balancer now, and it'll issue a Let's Encrypt certificate automatically. This is doable via Cloud Console:

Let's Encrypt issued on GCP LB

No clue why this isn't more well-known.

Ben Guild
  • 309
  • 1
  • 3
  • 9
0

You can follow the instructions here to create a Kubernetes Ingress with a Google managed certificate. At a high level, this involves two stpes:

  1. Create a ManagedCertificate resource (this is a beta feature in GKE)
  2. Use the networking.gke.io/managed-certificates annotation in your Ingress manifest to point to the managed certificate created in step 1

Google will automatically create a certificate for you using one of two CAs. If you're adamant on using Let's Encrypt, you can add a CAA record to your DNS zone as follows:

your_domain. CAA 0 issue "letsencrypt.org"

Alternatively, if your app is already up and running in GKE and sitting behind an existing Global HTTP Load Balancer, you can follow the instructions here to add a Google managed certificate to your load balancer. The end result is essentially the same regardless of which method you use.

faridghar
  • 101