Link Search Menu Expand Document

cloud-providers

gcp/https-ready-alb/

https-ready-alb.yaml

            ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: https-ready-alb-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: https-ready-alb-app
  template:
    metadata:
      labels:
        app: https-ready-alb-app
    spec:
      containers:
        - name: https-ready-alb-container
          image: python:3
          command:
            - python
            - -m
            - http.server
---
# https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: https-ready-alb-cert
spec:
  domains:
    - EXAMPLE.DEV.REPLACEME
---
# https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: https-ready-alb-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: HTTPS-READY-ALB-IP
    networking.gke.io/managed-certificates: https-ready-alb-cert
spec:
  backend:
    serviceName: https-ready-alb-service
    servicePort: 8000
---
# https://kubernetes.io/docs/concepts/services-networking/service/
apiVersion: v1
kind: Service
metadata:
  name: https-ready-alb-service
spec:
  type: NodePort
  selector:
    app: https-ready-alb-app
  ports:
    - protocol: TCP
      port: 8000
 

Creating a simple webserver that already accepts https requests with a domain and managed certificate using GKE

As written in the title, for this to work you need to apply this resource to an existing GKE cluster.

Before applying it

  • First create a static named ip address.

The IP address needs to be global (not regional). Documentation for GCP is here.

You can use the gcloud cli, the GCP console, or Terraform to create it. If you are using Terraform, use google_compute_global_address.

  • Have your domain point to this ip. Add a new DNS record to the DNS service that is currently holding your domain. This can be done within GCP or by any standard DNS service.

  • Replace HTTPS-READY-ALB-IP with the name of the ip that you created in your GCP setup

  • Replace EXAMPLE.DEV.REPLACEME with the domain/subdomain that you created in your DNS record

Apply it

kubectl apply -f https-ready-alb.yaml

Wait a short time for GCP to spin up a new Application Load Balancer and set up the managed certificate (the certificate can take a while to be provisioned).

Concerns

Spinning up a new GCP application load balancer for every service that needs to be accessible externally could eat up your cloud budget quickly in a production scenario. This is just a really fast way to have some demos or really simple setup with a no brainer process for https-ready services.