K
Q

Spring Boot HTTP made secure (HTTPS) with Kubernetes Ingress

5/6/2020

I am new at Kubernetes and GKE. I have some microservices written in Spring Boot 2 and deployed from GitHub to GKE. I would like to make these services secure and I want to know if it's possible to use ingress on my gateway microservice to make the entry point secure just like that. I created an ingress with HTTPS but it seems all my health checks are failing.

Is it possible to make my architecture secure just by using ingress and not change the spring boot apps?

-- Tudor Grigoriu
google-kubernetes-engine
kubernetes
spring
spring-boot

Similar Questions

Secure Prometheus with google auth
Spark Kubernetes Error : Pod Already Exists
How to access IP address & port of node in another node in Kubernetes
How to run two minecraft servers with kubernetes ingress

1 Answer

5/6/2020

Yes, It would be possible to use a GKE ingress given your scenario, there is an official guide on how to do this step by step.

Additionally, here's a step by step guide on how to implement Google Managed certs.

Also, I understand that my response is somewhat general, but I can only help you so much without knowing your GKE infrastructure (like your DNS name for said certificate among other things).

Remember that you must implement this directly on your GKE infrastructure and not on your GCP side, if you modify or create something new outside GKE but that it's linked to GKE, you might see that either your deployment rolled back after a certain time or that stopped working after a certain time.

Edit:

I will assume several things here, and since I don't have your Spring Boot 2 deployment yaml file, I will replace that with an nginx deployment.

cert.yaml

apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: ssl-cert
spec:
  domains:
    - example.com

nginx.yaml

apiVersion: "apps/v1"
kind: "Deployment"
metadata:
  name: "nginx"
  namespace: "default"
  labels:
    app: "nginx"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: "nginx"
  template:
    metadata:
      labels:
        app: "nginx"
    spec:
      containers:
      - name: "nginx-1"
        image: "nginx:latest"

nodeport.yaml (please modify "targetPort: 80" to your needs)

apiVersion: "v1"
kind: "Service"
metadata:
  name: "nginx-service"
  namespace: "default"
  labels:
    app: "nginx"
spec:
  ports:
  - protocol: "TCP"
    port: 80
    targetPort: 80
  selector:
    app: "nginx"
  type: "NodePort"

ingress-cert.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    networking.gke.io/managed-certificates: ssl-cert
spec:
  backend:
    serviceName: nginx-service
    servicePort: 80

Keep in mind that assuming your DNS name "example.com" is pointing into your Load Balancer external IP, it could take a while to your SSL certificate to be created and applied.

-- Frank
Source: StackOverflow