Loading certificate to GKE service

Question

I have a GKE cluster which run a java spring boot docker image on port 80. I have exposed it as a load balancer with multiple port mapping like 80 -> 80 and 443 -> 80.

I can see both the http and https URL's under service but I can only access my service on http port but cant access on https. I am getting "This site can’t provide a secure connection."

I know I need to put a certificate on this load balancer to expose on https and I have a google managed cert.

My problem is I am not getting how do I install this certificate on load balancer so that I can access my application on https as well.

Answer 1

SInce you are using GKE ingress with a google managed certificate, you don't need to manually configure it in the loadbalancer, it can be done by the ingress.

In the oficial documentation you can verify all the steps to make it work.

There are 2 pre-requisites:

1. You need to own a domain
2. You should create a static ip address.

You can create a certificate using the following yaml:

apiVersion: networking.gke.io/v1beta2
kind: ManagedCertificate
metadata:
  name: certificate-name
spec:
  domains:
    - domain-name1

And create a service as NodePort to your application, for example:

apiVersion: v1
kind: Service
metadata:
  name: service-name
spec:
  selector:
    key: value
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

And finally you can create the ingress using the example below:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-name
  annotations:
    kubernetes.io/ingress.global-static-ip-name: address-name
    networking.gke.io/managed-certificates: certificate-name
spec:
  backend:
    serviceName: service-name
    servicePort: service-port

If you want to migrate self-certificate to google managed certificate you can follow this steps