Node HTTP/2 the correct place to set managed certificate

8/30/2019

I have created a NodeJS application using http/2 following this example:

Note: this application uses self-signed certificate until now.

We deployed it on GKE, and it is working until now. Here is how this simple architecture looks like:

enter image description here

Now, we want to start using real certificate, and don`t know where is the right place to put it.

Should we put it in pod (overriding self-signed certificate)?

Should we add a proxy on the top of this architecture to put the certificate in?

-- Marcelo Dias
google-kubernetes-engine
http2
kubernetes
node.js
ssl

2 Answers

8/30/2019

The Client's SSL session terminates at the LB level, the self-signed certificates being used are just to encrypt communication between the LB and the Pods. So if you want the client to use your new valid certificate it needs to be at the LB level.

On a side note, having your application servers communicate with the LoadBalancer over HTTP will give you a performance boost. Since the LB is acting as a reverse proxy anyway.

You can read this article about LoadBalancing it's written by the author of HAProxy

-- B.Mouad
Source: StackOverflow

9/2/2019

In GKE you can use a ingress object to routing external HTTP(S) traffic to your applications in your cluster. With this you have 3 options:

  • Google-managed certificates
  • Self-managed certificates shared with GCP
  • Self-managed certificates as Secret resources

Check this guide for the ingress load balancing

-- David C
Source: StackOverflow