How do I use HTTPS between a GKE Ingress and the Service it forwards to?

1
votes

On Google Kubernetes Engine (GKE) you can use the cloud.google.com/app-protocols annotation on a Service to specify what protocol is used on that port (HTTP or HTTPS) docs

When you create an External HTTP(S) Ingress, it will use this protocol between the Ingress and the Service.

How do I set things up so that the Service uses a certificate that is actually trusted by the Ingress?

Does it just trust any certificate signed by the Cluster Root CA? Manage tls in a cluster suggests you need to include the pod IP address in the CSR - does that mean generating the CSR and waiting for the signed certificate to be created should be part of my container startup process?

1
kubernetesgoogle-cloud-platformhttpsgoogle-kubernetes-engine
do you have your own certificate or you use Google managed one? - lukaszberwid
For the external interface I used my own certificate. For the communication between the Ingress and the Service I'm open to either using my own certificate or a Google-managed one (but reading the docs I got the impression that Google-managed certificates are meant for external endpoints, not for internal communication?) - Arnout Engelen
Have you tested using your own certificate? In this case I think your pod should be able to validate the certificate using an internal CA. I will try to work on it and come back asap. Btw, do you have any certificate in your pod? - Mr.KoopaKiller
I figured it out: it does not need any CA at all, it does not check the certificate and will happily connect to a service using a self-signed certificate without further configuration. - Arnout Engelen

1 Answers

1
votes

Turns out when the "GKE Ingress for HTTP(S) Load Balancing" uses HTTPS to connect to the service, it accepts any certificate valid (even a self-signed one), without further configuration.

Apparently it does not use TLS to protect against MITM attacks here (which I guess might be reasonable).