This blog helps you to use GCE Ingresses to create external load balancers with Google-managed SSL certificates.
Google-managed SSL certificates are provisioned, renewed, and managed for your domain names.
Create a static ip address:
gcloud compute addresses create web-service --global
Setting up two managed certificates for
apiVersion: networking.gke.io/v1beta1 kind: ManagedCertificate metadata: name: example-one spec: domains: - one.example.com
apiVersion: networking.gke.io/v1beta1 kind: ManagedCertificate metadata: name: example-two spec: domains: - two.example.com
kubectl apply command for the above manifests:
Create a NodePort Service to expose your web application to the Internet.
The following is an example Service manifest file:
apiVersion: v1 kind: Service metadata: name: example-one labels: app: example-one spec: type: NodePort selector: app: example-one ports: - name: example-one-port port: 80 nodePort: 40110 targetPort: 80 protocol: TCP
apiVersion: v1 kind: Service metadata: name: example-two labels: app: example-two spec: type: NodePort selector: app: example-two ports: - name: example-two-port port: 8080 nodePort: 41110 targetPort: 8080 protocol: TCP
Create the above Services with the
kubectl create command.
Create an Ingress, linking it to the ManagedCertificate you created previously.
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: gce kubernetes.io/ingress.global-static-ip-name: web-service networking.gke.io/managed-certificates: example-one,example-two spec: rules: - host: one.example.com http: paths: - backend: serviceName: example-one servicePort: example-one-port - host: two.example.com http: paths: - backend: serviceName: example-two servicePort: example-two-port
Create the above Ingress with the
kubectl create command.
Look up the IP address of the load balancer created in the previous step. Use the following command to get the IP address of the load balancer:
kubectl get ingress
Configure the DNS records for your domain to point to the IP address of the load balancer.
Google-managed certificates are issued by one of two certificate authorities (CAs), letsencrypt.org and pki.goog. You must create a Certification Authority Authorization (CAA) DNS record to specify which CAs are allowed to sign your Google-managed certificate. If you specify both CAs, Google Cloud selects one of them and uses it to sign your certificate. When your certificate is renewed, it might be signed by a different CA. If you specify just one CA, that CA is used to create and renew your certificate:
one.example.com CAA 0 issue "pki.goog" two.example.com CAA 0 issue "pki.goog"
Google-managed SSL certificate status check:
gcloud beta compute ssl-certificates list --global --format="get(name,managed.status, managed.domainStatus)"