Using "Let's Encrypt" TLS with a Google Load Balancer? (Kubernetes/GKE)

Question

I've been trying to test out Kubernetes on Google Cloud, but would need HTTPS/TLS (only) exposed on the deployed application. To start, I just followed this tutorial, which worked fine for plain HTTP over port 80: https://cloud.google.com/kubernetes-engine/docs/quickstart

To get TLS support working with Let's Encrypt, I've tried (without success):

Ended up with "CIPHER MISMATCH" errors when serving via the Golang application itself (then just doing a generic TCP load balancer for the node cluster) ... https://godoc.org/golang.org/x/crypto/acme/autocert
This method didn't work either: https://github.com/ahmetb/gke-letsencrypt

... Does anyone have any suggestions on how to serve just HTTPS for the original tutorial? No need for plain HTTP unless it's a freebie, but I'm really scratching my head on this one since I haven't worked with Kubernetes before and I haven't been able to get Let's Encrypt working at all here.

have you considered using a tiny VM as a load balancer running Traefik? It supports Let's Encrypt renewal without any effort and costs a little less than Google's load balancer. A lot of good info here: https://estl.tech/configuring-https-to-a-web-service-on-google-kubernetes-engine-2d71849520d — sippybear, Oct 10 '18 at 21:03
@sippybear Nice article! One issue with using a VM is that it’s linked to the cluster’s ephemeral IP. — Ben Guild, Oct 11 '18 at 00:07

score 6 · Accepted Answer · answered Oct 11 '18 at 15:58

6

So, it turns out that you can just add TLS directly on the load balancer now, and it'll issue a Let's Encrypt certificate automatically. This is doable via Cloud Console:

No clue why this isn't more well-known.

answered Oct 11 '18 at 15:58

Ben Guild

289
1
3
9

Nice, probably newly added functionality. You should accept your answer so people know you've found a good solution! – sippybear Oct 11 '18 at 17:11

score 0 · Answer 2 · answered Apr 02 '20 at 15:00

You can follow the instructions here to create a Kubernetes Ingress with a Google managed certificate. At a high level, this involves two stpes:

Create a ManagedCertificate resource (this is a beta feature in GKE)
Use the networking.gke.io/managed-certificates annotation in your Ingress manifest to point to the managed certificate created in step 1

Google will automatically create a certificate for you using one of two CAs. If you're adamant on using Let's Encrypt, you can add a CAA record to your DNS zone as follows:

your_domain. CAA 0 issue "letsencrypt.org"

Alternatively, if your app is already up and running in GKE and sitting behind an existing Global HTTP Load Balancer, you can follow the instructions here to add a Google managed certificate to your load balancer. The end result is essentially the same regardless of which method you use.

Using "Let's Encrypt" TLS with a Google Load Balancer? (Kubernetes/GKE)

2 Answers2