How to set up an architecture of scalable custom domains & auto-SSL on Google Kubernetes Engine

12/28/2018

We are researching the best solution to allow customers to use their domain names with our hosting services. The hosting services are based on Google App Engine standard. The requirements are:

  1. Customers can point their domain name to our server via CNAME or A record
  2. Our server should be able to generate SSL certs for them automatically using Let's Encrypt
  3. Our server should be able to handle custom SSL certs uploaded by customers
  4. Should be robust and reliable when adding new customers (new confs, SSL certs etc.) into our servers
  5. Should be scalable, and can handle a large number of custom domains and traffic (e.g. from 0 to 10000)
  6. Minimum operation costs (the less time needed for maintaining the infrastructure, the better)

It seems Google Kubernetes Engine (formerly known as Google Container Engine) would be the direction to go. Is there a specific, proven way to set it up? Any suggestions/experiences sharing would be appreciated.

-- Jake W
custom-domain
google-kubernetes-engine
kubernetes-ingress
lets-encrypt
ssl

1 Answer

12/28/2018

I would recommend going through this link to get started with setting up a GKE cluster.

For your purpose of SSL on GKE I would recommend creating an Ingress as specified in this link which automatically creates a Loadbalancer Resource in GCP if you use the default GLBC ingress controller. The resulting LB's configuration (Ports, Host Path rules, Certificates, Backend Services, etc. ) are defined by the configuration of the Ingress Object itself. You can point the domain the domain name to the IP of the Loadbalancer.

If you want to configure your Ingress(and consequently the resulting LB) to use certs created by 'Let's Encrypt', you would be modifying the configuration presented in the YAML of the ingress. For actually integrating Let's Encrypt for Kubernetes, it is actually possible by using a service called cert-manager to automate the process of obtaining TLS/SSL certificates and store them inside secrets. This link shows how to use cert-manager with GKE.

If you want to use self managed SSL certificates please see this link for more information. The GKE is scalable by the GKE's cluster autoscaler which automatically resizes clusters based on the demands of the workloads you want to run.

-- John Mathew
Source: StackOverflow