Wednesday, July 1, 2020

Using SSL based Ingress on Google Kubernetes Engine




In this post we will review the steps to create a SSL based Ingress on Google Kubernetes Engine (GKE).

An Ingress is an object that exposes external access to services in the kubernetes cluster. 

For example we have 2 services: foo-service and bar-service.
We want to expose both of them to the internet, but we want to use a single SSL certificate.





Follow the next steps to create SSL based encryption.
  1. Make sure that all of the services (foo and bar) implement readiness probes.

  2. Add annotation to all of the services to enable routing from the ingress directly to the pod (better performance):


    apiVersion: v1
    kind: Service
    metadata:
      name: foo-service
      annotations:
        cloud.google.com/neg: '{"ingress": true}'


  3. Create a static IP that will be used for the ingress:

    gcloud compute addresses create my-ip --global


  4. Check that the static IP is configured:

    gcloud compute addresses describe my-ip --global


  5. Create a SSL certification.

    You can either buy a public signed SSL certificate, or create your own self-signed SSL certificate. The self-signed can be used to testing purpose, but in a real world scenario, you would probably need a public signed SSL certificate.
    To create a self signed certification, use the following commands:

    
rm -rf keys
mkdir keys
openssl genrsa -out keys/ingress.key 2048
openssl req -new -key keys/ingress.key -out keys/ingress.csr -subj "/CN=radwarebouncer.com"
openssl x509 -req -days 365 -in keys/ingress.csr -signkey keys/ingress.key -out keys/ingress.crt
kubectl create secret tls bouncer-ingress-secret --cert keys/ingress.crt --key keys/ingress.key


  6. Create Ingress. 

    Notice that:
    - The ingress includes annotation to use the my-ip static IP.
    - The ingress includes a specification to use the ingress-secret.

    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      name: ingress
      annotations:
        nginx.ingress.kubernetes.io/ssl-redirect: "false"
        kubernetes.io/ingress.global-static-ip-name: "my-ip"
    spec:
      tls:
        - secretName: ingress-secret
      rules:
        - host: example.com
          http:
            paths:
              - path: /foo
                backend:
                  serviceName: foo-service
                  servicePort: 80
              - path: /bar
                backend:
                  serviceName: foo-service
                  servicePort: 80

That's it, you are ready to go.
Use curl for your domain name to check the ingress, for example:

curl -k https://example.com/foo








Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)