GKE INGRESS (HTTPS) - adonisv79/bytecommander.com GitHub Wiki

Creating Certificates

Free Certificate Authority (CA)

We can useLet's Encrypt or SSL for FREE but I find the web UI method easier with the latter. Note that the signed certificates they use lasts 3 months only and thus your devops must be reminded every 2 months to refresh the certificate.

  1. Go to https://www.sslforfree.com/ and enter the domain you want to secure
  2. you will be asked to choose among 3 verification methods. (I Choose 3)
  • Automatic verification - where you need to set the service to have TCP access to your service (which seems kinda risky)
  • Manual verification - which seems tedious as you will need to provide files in your web app and redeploy to kubernetes. That means I have to redeploy a new docker image and pod or need to be able to exec bash into the container instances.
  • Manual DNS Verification - the easiest. You just need to prove ownership of the DNS by adding some TXT records
  1. After verification, you can now download the 'certificate.crt', 'private.key' and ;ca_bundle.crt'. The former 2 files are what you basically need.

Self-signed

Create a certificate by runing the following in linux bash (or GitBash)

openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.crt -days 365 -nodes

follow the instructions like so...

Country Name (2 letter code) [AU]:PH
State or Province Name (full name) [Some-State]:NCR
Locality Name (eg, city) []:MANILA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:3E GAMES DEVELOPMENT
Organizational Unit Name (eg, section) []:PRODUCTS
Common Name (e.g. server FQDN or YOUR name) []:ADONISV79
Email Address []:[email protected]

Deploying to Google Kubernetes

Create the secret

kubectl create secret tls my-auth-secret --key private.key --cert certificate.crt

this should exist when you run

kubectl get secret my-auth-secret --output yaml

Set ingress to use your certificates

Your Ingress file should be as follow

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-tls-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-ip-name"
spec:
  tls:
    - hosts:
      - www.mydomain.dev
      secretName: my-auth-secret
  rules:
    - host: www.mydomain.dev
      http:
        paths:
          - path: /
            backend:
              serviceName: my-auth-web-service
              servicePort: 3000

This will take some time to propagate. Sometimes forever so what I do is jest delete the entire ingress and recreate using

kubectl delete -f {ingress-config.yml file}
kubectl create -f {ingress-config.yml file} --save-config