This blog helps you to use GCE Ingresses to create external load balancers with Google-managed SSL certificates.
Google-managed SSL certificates are provisioned, renewed, and managed for your domain names.
Create a static ip address:
gcloud compute addresses create web-service --global
Setting up two managed certificates for one.example.com and two.example.com:
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: example-one
spec:
domains:
- one.example.com
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: example-two
spec:
domains:
- two.example.com
Run kubectl apply command for the above manifests:
Create a NodePort Service to expose your web application to the Internet.
The following is an example Service manifest file:
apiVersion: v1
kind: Service
metadata:
name: example-one
labels:
app: example-one
spec:
type: NodePort
selector:
app: example-one
ports:
- name: example-one-port
port: 80
nodePort: 40110
targetPort: 80
protocol: TCP
apiVersion: v1
kind: Service
metadata:
name: example-two
labels:
app: example-two
spec:
type: NodePort
selector:
app: example-two
ports:
- name: example-two-port
port: 8080
nodePort: 41110
targetPort: 8080
protocol: TCP
Create the above Services with the kubectl create command.
Create an Ingress, linking it to the ManagedCertificate you created previously.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.global-static-ip-name: web-service
networking.gke.io/managed-certificates: example-one,example-two
spec:
rules:
- host: one.example.com
http:
paths:
- backend:
serviceName: example-one
servicePort: example-one-port
- host: two.example.com
http:
paths:
- backend:
serviceName: example-two
servicePort: example-two-port
Create the above Ingress with the kubectl create command.
Look up the IP address of the load balancer created in the previous step. Use the following command to get the IP address of the load balancer:
kubectl get ingress
Configure the DNS records for your domain to point to the IP address of the load balancer.
Google-managed certificates are issued by one of two certificate authorities (CAs), letsencrypt.org and pki.goog. You must create a Certification Authority Authorization (CAA) DNS record to specify which CAs are allowed to sign your Google-managed certificate. If you specify both CAs, Google Cloud selects one of them and uses it to sign your certificate. When your certificate is renewed, it might be signed by a different CA. If you specify just one CA, that CA is used to create and renew your certificate:
one.example.com CAA 0 issue "pki.goog"
two.example.com CAA 0 issue "pki.goog"
Google-managed SSL certificate status check:
gcloud beta compute ssl-certificates list --global --format="get(name,managed.status, managed.domainStatus)"
