Menu
Background:
I'm pretty new to the Google's Cloud platform so I want to make sure that I'm not is missing anything obvious.
We're experimenting with GKE and Kubernetes and we'd like to expose some services over https. I've read the documentation for http(s) load-balancing which seem to suggest that you should maintain your own nginx instance that does SSL terminal and load balancing. To me this looks quite complex (I'm used to working on AWS and its load-balancer (ELB) which has supported SSL termination for ages).
Questions:
638
External SSL Proxy Load Balancing is a reverse proxy load balancer that distributes SSL traffic coming from the internet to virtual machine (VM) instances in your Google Cloud VPC network.
It encrypts the server's response before returning it to the client. If the network between the load balancer and server is not secure, the SSL load balancer is usually configured to decrypt the request, extract the information needed for load balancing, and re‑encrypt the request before forwarding it to the server.
Solution: Kubernetes Ingress Controller fake certificate is returned by the NGINX ingress controller. You can configure --default-ssl-certificate in daemonset nginx-ingress-controller to replace "Kubernetes Ingress Controller Fake Certificate”.
Tl;Dr: Watch this space for Kubernetes 1.2
Till now Kubernetes has only supported L4 loadbalancing. This means the GCE/GKE loadbalancer opens up a tcp connection and just sends traffic to your backend, which is responsible for terminating ssl. As of Kubernetes 1.1, Kubernetes has an "Ingress" resource, but it's currently in Beta and only supports HTTP. It will support different SSL modes in 1.2.
So, how to terminate SSL with a normal Kubernetes service?
https://github.com/kubernetes/kubernetes/blob/release-1.0/examples/https-nginx/README.md
How to create a loadbalancer for this Service?
L4: Change NodePort to LoadBalancer (https://github.com/kubernetes/kubernetes/blob/release-1.0/examples/https-nginx/nginx-app.yaml#L8)
L7: Deploy a Service loadbalancer (https://github.com/kubernetes/contrib/tree/master/service-loadbalancer#https)
How to create a GCE HTTP loadbalancer through Kubernetes? https://github.com/kubernetes/kubernetes/blob/master/docs/user-guide/ingress.md#simple-fanout
So how to create a GCE HTTPS loadbalancer through Kubernetes?
Coming in 1.2, currently the process is manual. If you're not clear on the exact manual steps reply to this and I will clarify (not sure if I should list all of them here and confuse you even more).
159
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
