This is a summary of how to communicate over HTTPS with Kubernetes (GKE) on Google Cloud Platform.
Introduction.
To allow Kubernetes to communicate with the outside world
- Method by Service
- Methods by Ingress
There are two ways to do this.
With the Service method, the external IP is connected to the GCP load balancer, and data from the outside is delivered directly to the Kubernetes Service through the load balancer's functionality. Since the load balancer simply distributes the data, and the external data goes directly to the Service, HTTPS processing must be handled by the internal Kubernetes pod that received the data.
In the Ingress method, the external IP is connected to the GCP load balancer as in the Service method, but from there it is connected to Ingress, which handles routing for Kubernetes, and Ingress distributes data to the Kubernetes Ingress is internally built on Nginx and can route HTTPS from the outside to HTTP and then to the Service, depending on the content of the communication.
In this article, HTTPS communication using Ingress is configured so that Ingress converts HTTPS to HTTP and HTTP is sent to Kubernetes.
procedure
External IP
Ingress external IPs must be "global" and "regional" IPs will not work. Therefore, a "global" static IP is required.
Creating a Secret
Register a certificate and key set as a secret with Kubernetes, and create an Ingress in reference to that secret. First, create the secret.
kubectl create secret tls <シークレット名> \ --key <鍵ファイル> \ --cert <証明書ファイル>
Creating Ingress
ingress.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress annotations: kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.global-static-ip-name: "<外部IP名>" spec: tls: - secretName: <シークレット名> backend: serviceName: <接続先Service名> servicePort: <接続先ポート番号>
(Only HTTPS is allowed; HTTP communication is not allowed.)
Create Ingress with "ingress.yaml
kubectl create -f ingress.yaml
Health Check Confirmation
Ingress is now created and can communicate over HTTPS from the outside. Once the Ingress is created, Kubernetes will create a load balancer and configure health checks.
- [GCP]-[Network Services]-[Load Balancing]-[\
]-[health check].
You can see the details of the health check at
Note that if this health check is not passed, data will not flow to Ingress and it will not work.
What the health check does is defined in Ingress in the "readinessProbe" of the pod of the service you are connecting to.
For example, suppose you have configured a connection from Ingress to Nginx, and if Nginx is working properly, the default "Welcome" page is displayed.
The health check to see if Nginx is alive is done by accessing Nginx via http and getting a response, in which case the "readinessProbe" of Nginx deployment should be written as follows.
deployment-nginx.yaml
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx labels: app: nginx spec: replicas: 1 template: metadata: labels: app: nginx spec: containers: - name: nginx image: xxxx ports: - containerPort: 80 readinessProbe: httpGet: path: / port: 80 scheme: HTTP
attention (heed)
Health checks are performed when the ingress is created, and the destination service must already be up and running at that time. Therefore, it is necessary to create the destination Service and Ingress in that order.
When a health check fails, even if the destination service is modified or upgraded, the health check is not automatically rerun.
