Multiple SSL Certificates kubernetes

1
votes

I am running a web service that can be accessed from my company's domain name. I have setup automatic SSL certificates with Lets Encrypt as seen below.

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: basic-ingress annotations: certmanager.k8s.io/issuer: letsencrypt spec: tls: - hosts: - my.domain.net secretName: my-domain-net-tls rules: - host: my.domain.net http: paths: - backend: serviceName: frontend-service servicePort: 80-to-8080-tcp

I want to offer clients the option of serving the frontend from their own domains. What is the best way to go about this with certificates? I understand that I can setup the load balancer to use multiple secrets as shown here: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl, but I will need to be serving from more than the stated max of 10 domains.

Is there a more efficient way to go about this? What's the industry standard for serving one frontend service from multiple domains?

Many thanks!

2
sslkubernetesgoogle-cloud-platformgoogle-kubernetes-engine
The standard method is to use one certificate and implent SAN (Subject Alternative Names) in the certiifcate. This is how Google Firebase implements this. Otherwise you are stuck with 10. Let's Encrypt supports SAN. There is a downside to using more than one SSL certificate or SAN. It takes longer to setup SSL connections. - John Hanley
@JohnHanley thanks for the response! Looks promising! - Patrick Geyer
@JohnHanley: Your comment seems pretty useful. Therefore could you please consider posting your comment as an answer so that other community users can be benefited by this. - Md Zubayer

2 Answers

1
votes

The standard method to support more than one domain name and / or subdomain names is to use one SSL Certificate and implement SAN (Subject Alternative Names). The extra domain names are stored together in the SAN. All SSL certificates support SAN, but not all certificate authorities will issue multi-domain certificates. Let's Encrypt does support SAN so their certificates will meet your goal.

What is a SAN Certificate?

0
votes

If you don't require a global IP and can do with a regional one you can install the nginx-ingress and use multiple ingress to handle multiple domains and certificates for the same IP.

If you do require a global IP you can do as suggested by @John.

And if you don't mind having your clients pointing their domains to the different IPs as you do you can just use different ingress without anything more. But be aware that the normal ingress on GKE instantiates a L7 global load balancer so consider the cost of doing this