K
Q

Google Cloud Engine: I've attached 15 certificates(the maximum allowed) to a load balancer. How do I scale from there?

10/27/2019

I generate certificates using LetsEncrypt for each domain that points their CNAME/A-Record to my IP/Domain. Secrets are then generated from them specified in the "tls" section of my ingress config.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: great-site
  namespace: production
  annotations:
    kubernetes.io/ingress.allow-http: 'true'
    kubernetes.io/ingress.global-static-ip-name: 'great-site-production'
spec:
  tls:
    - secretName: domain.one-2019-09-10
    - secretName: domain.two-2019-09-10
    - secretName: domain.three-2019-09-10
    - secretName: domain.four-2019-09-10
    - secretName: domain.five-2019-09-10
    - secretName: domain.six-2019-09-11
    - secretName: domain.seven-2019-10-19
    - secretName: domain.eight-2019-10-19
    - secretName: domain.nine-2019-10-20
    - secretName: domain.ten-2019-10-21
    - secretName: domain.eleven-2019-10-22
    - secretName: domain.twelve-2019-10-23
    - secretName: domain.thirteen-2019-10-24
    - secretName: domain.fourteen-2019-10-26
    - secretName: domain.fifteen-2019-10-27
  rules:
    - host: domain.one
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.two
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.three
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.four
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081

    - host: domain.five
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
   - host: domain.six
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.seven
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.eight
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.nine
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081

    - host: domain.ten
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
- host: domain.eleven
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.twelve
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.thirteen
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081
    - host: domain.fourteen
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081

    - host: domain.fifteen
      http:
        paths:
          - backend:
              serviceName: great-site-service
              servicePort: 8081

15 is the maximum number of certificates one can attach to a load balancer so adding any more secrets to this doesn't work. I want to know what to do in order to scale from here and register more domains. Or if there's a better approach I could take for the whole thing.

-- James Freeman
devops
google-cloud-platform
google-kubernetes-engine
kubernetes-ingress

Similar Questions

Scaling a microservice with frontend and backend instances
insufficient regional quota to satisfy request: resource "IN_USE_ADDRESSES"
How to repull image in kubernetes that is already cached?
no matches for kind "VerticalPodAutoscaler" in version "autoscaling.k8s.io/v1beta2"
Istio/Envoy edge proxy EnvoyFilter (1.9.0)
Kubernets Api Key Authentication
micrometer exposing actuator metrics vs kube-state-metrics vs metrics-server to set pod request/limits
The mongo-express/mongodb YAML files works on minikube but not work on my 3 nodes kubernetes cluster
Rancher: kubernetes cluster stuck in pending. "No route to host"
service - pod traffic - selector

1 Answer

10/28/2019

You can use either Wildcard or SAN certificates.

With a Wildcard certificate, you can secure a theoretical unlimited number of domains.

While with a SAN certificate it's up to the CA to define a limit on the number of domains that can be secured with the certificate. For LetsEncrypt as stated:

If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate.

Further information can be found on LetsEncrypt FAQs (while the first Q was answered implicitly in the previous quote):

Can I get a certificate for multiple domain names (SAN certificates or UCC certificates)?

Yes, the same certificate can contain several different names using the Subject Alternative Name (SAN) mechanism.

Does Let’s Encrypt issue wildcard certificates?

Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.

You can find here some background on these along with certificate management considerations that might help you contemplate this issue from a more design-oriented standpoint.

For support of Wildcard and SAN certificates with GCP LB please confirm official documentation. While for SAN certificates, as it's featured in the linked documentation

SAN certificates are supported for HTTPS load balancing

it could be assumed that both Google-managed and self-managed certificates are being referred.

For Wildcard certificates:

Google-managed SSL certificates do not support using wildcards.

Anyways, the use case from the original poster relates to self-managed certificates, but as pointed by a community peer, it might be nice to have this last piece of information here.

-- fhenriques
Source: StackOverflow