Do I need a target-http-proxy for setting up HTTPS load balancer with Google managed SSL certificates on GKE?

12/27/2018

According to Creating a Google-managed SSL certificate resource, I need to Associate a Google-managed SSL certificate with a target proxy:

gcloud beta compute [target-https-proxies | target-ssl-proxies] update [NAME] \
    --ssl-certificates [SSL-CERTIFICATE-NAME]

Do I need to associate the SSL certificate by the command above, or is that also achieved by the following .yml config?

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"

If the config above doesn't cut it, should I create it as described here? It looks like this guide assumes one has access to the certificates, which I don't as it's managed by Google.

-- martins
google-cloud-platform
google-kubernetes-engine
kubernetes-ingress
ssl

1 Answer

12/27/2018

You can have GKE create an ingress controller that's backed by a Google HTTPS load balancer. When you do that, you specify configuration for the ingress in a config file and GKE builds all the load balancer components. The SSL certificate (and private key) are combined into a configuration object called a SSL Certificate.That's linked to the target HTTPS proxy.The first thing to do would be to create a Google managed certificate object.This part has nothing to do with Kubernetes.The command is:

$gcloud beta compute ssl-certificates create [SSL_CERTIFICATE_NAME]  \

--domains [DOMAIN] See the attached link for more details

All you have to do for this part is to create the certificate object. You do not assign it to any target proxy. Now, for the second part: Once you have the GCP certificate object created, you can reference it when you create a Kubernetes ingress.In Kubernetes terms, this is called "using a pre-shared certificate." A pre-shared certificate is simply one that's backed by an existing GCP SSL Certificate object (whether or not that SSL Certificate is a Google managed certificate or one that you created by uploading your own key and certificate). See the attached link for more details.

-- Muhammad Ebaduddin
Source: StackOverflow