Google managed SSL Certificates with Nginx Ingress

7
votes

So I'm in the process of setting up multiple GKE clusters, and I'm restricted to using a wildcard domain certificate but my domain is two levels deep, so that won't work. So now I'm trying to use google managed certificates, which works, but only seems to work with the GCE ingress, not nginx.

According to https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs which has worked assuming I'm using just a single ingress resource that provisions a L7(http) load balancer using GCE ingress. My question is, would it be possible to setup the nginx ingress controller to use these managed certificates?

From the nginx helm install, it provisions a L4(tcp) load balancer, and uses a deployment to run the pod that handles the nginx controller. But I can't seem to be able to set the L4 load balancer to use my globally reserved static IP. Whereas the L7 one works fine.

Any thoughts on how to get managed certs working with nginx ingress?

2
google-kubernetes-enginenginx-ingress

2 Answers

0
votes

Found the issue. I was reserving a global IP address for the L4 load balancer using GCE ingress, which is not allowed, since TCP load balancing is regional only, unlike HTTP load balancing, which requires a global IP reserved, instead of a regional one. So from that, it was never resolving the DNS record to the right IP. Good to know that confusing caveat with the global vs regional IPs...

0
votes

Google managed-certs are only supported for GKE External Ingress. From https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs:

Note: Google-managed SSL certificates aren't currently supported for internal HTTPS load balancers. For internal HTTPS load balancers, use self-managed SSL certificates.

Here are the limitations I encountered when using GKE ingress:

  • You can use managed certs, but only for external ingress, internal ingresses are not supported
  • Your VPC has to be configured a certain way to use internal load balancing, which is very tedious.
  • Firewalls cannot be configured to limit source ips, as this information is lost from the Google Front End to the VMs. They only see the load balancer's source ips.

If you only need a certificate for an external ingress, you can just declare an Ingress with kubernetes.io/ingress.class: "gce", setup ExternalDNS to create the CloudDNS records for you, and then attach a Managed Cert to the domain name like so:

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: certificate-name
spec:
  domains:
    - domain-name1
    - domain-name2

This gives a you a domain attached to your service, with SSL, all using google cloud DNS and google load balancing.

If you need an internal service, it will be a bit trickier. I personally decided to completely ditch the GKE ingress, use ingress-nginx to setup a LoadBalancer service with an internal IP, and then setup the certs using cert-manager. You can refer to this blog for the approach.