Multiple SSL Certificates kubernetes

12/29/2018

I am running a web service that can be accessed from my company's domain name. I have setup automatic SSL certificates with Lets Encrypt as seen below.

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: basic-ingress annotations: certmanager.k8s.io/issuer: letsencrypt spec: tls: - hosts: - my.domain.net secretName: my-domain-net-tls rules: - host: my.domain.net http: paths: - backend: serviceName: frontend-service servicePort: 80-to-8080-tcp

I want to offer clients the option of serving the frontend from their own domains. What is the best way to go about this with certificates? I understand that I can setup the load balancer to use multiple secrets as shown here: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl, but I will need to be serving from more than the stated max of 10 domains.

Is there a more efficient way to go about this? What's the industry standard for serving one frontend service from multiple domains?

Many thanks!

-- Patrick Geyer
google-cloud-platform
google-kubernetes-engine
kubernetes
ssl

2 Answers

12/31/2018

If you don't require a global IP and can do with a regional one you can install the nginx-ingress and use multiple ingress to handle multiple domains and certificates for the same IP.

If you do require a global IP you can do as suggested by @John.

And if you don't mind having your clients pointing their domains to the different IPs as you do you can just use different ingress without anything more. But be aware that the normal ingress on GKE instantiates a L7 global load balancer so consider the cost of doing this

-- Luiz Ferraz
Source: StackOverflow

12/31/2018

The standard method to support more than one domain name and / or subdomain names is to use one SSL Certificate and implement SAN (Subject Alternative Names). The extra domain names are stored together in the SAN. All SSL certificates support SAN, but not all certificate authorities will issue multi-domain certificates. Let's Encrypt does support SAN so their certificates will meet your goal.

What is a SAN Certificate?

-- John Hanley
Source: StackOverflow