Managed Certificates for Kubernetes clusters using GCLB
Clone or download
krzykwas Rename metrics to spell backend and quota separate from metric
Change-Id: I59085aeaba7e77d29ad8270f6c69b2eb6c45baf4
Latest commit 342683d Jan 10, 2019

README.md

Managed Certificates in GKE

Managed Certificates in GKE simplify user flow in managing HTTPS traffic. Instead of manually acquiring an SSL certificate from a Certificate Authority, configuring it on the load balancer and renewing it on time, now it is only necessary to create a Managed Certificate k8s Custom Resource object and provide a domain for which you want to obtain a certificate. The certificate will be auto-renewed when necessary.

For that to work you need to run your cluster on a platform with Google Cloud Load Balancer, that is a cluster in GKE or your own cluster in GCP.

Installation

Prerequisites

  1. You need to use Kubernetes 1.10 or newer.
  2. Configure your domain example.com so that it points at the load balancer created for your cluster by Ingress.

Steps

To install Managed Certificates in your own cluster on GCP, you need to:

  1. Deploy the Managed Certficate CRD
$ kubectl create -f deploy/managedcertificates-crd.yaml
  1. Deploy the managed-certificate-controller
$ kubectl create -f deploy/managed-certificate-controller.yaml

Usage

  1. Create a Managed Certificate custom object, specifying a single non-wildcard domain not longer than 63 characters, for which you want to obtain a certificate:
apiVersion: gke.googleapis.com/v1alpha1
kind: ManagedCertificate
metadata:
  name: example-certificate
spec:
  domains:
    - example.com
  1. Configure Ingress to use this custom object to terminate SSL connections:
kubectl annotate ingress [your-ingress-name] gke.googleapis.com/managed-certificates=example-certificate

If you need, you can specify more multiple managed certificates here, separating their names with commas.

Clean up

You can do the below steps in any order and doing even one of them will turn SSL off:

  • Remove annotation from Ingress
kubectl annotate ingress [your-ingress-name] gke.googleapis.com/managed-certificates-

(note the minus sign at the end of annotation name)

  • Tear down the controller
$ kubectl delete -f deploy/managed-certificate-controller.yaml
  • Tear down the Managed Certificate CRD
$ kubectl delete -f deploy/managedcertificates-crd.yaml