Sign in Subscribe
2 min read GCP

GCP GKE Ingress(GCLB)

在GKE要使用 TLS 憑證時,跟以往在CLB 開啟443 port 掛上憑證不同。

以下將透過第三方證書來啟用TLS,將可以分為以下步驟

  1. 上傳自有證書 -> Certificate Manager。
  2. 創建並掛上 Certificate map (僅支持gcloud cli)。
    這邊創建的map 會自動索引第一步驟的cert證書,後續若要替換證書則直接替換即可。
  3. 將Certificate map 綁定到GCLB。

  1. 創建 Certificate Map 
# 查詢
gcloud certificate-manager maps entries list --map=jjl-game-map --location=global

# 創建(下圖左)
gcloud certificate-manager maps create jjl-game-map --location=global

# map enrty(下圖右)
# 前提必須先上傳憑證至 GCP cert manager
# 若使用 * 通配符 需要創兩次 分別是*.test.com / test.com
gcloud certificate-manager maps entries create jjl-game-wildcard \
  --map="jjl-game-map" \
  --certificates="jjl-game" \
  --hostname="*.jjl-game.com,jjl-game.com" \
  --location="global"

gcloud certificate-manager maps entries create jjl-game-root \
  --map="jjl-game-map" \
  --certificates="jjl-game" \
  --hostname="jjl-game.com" \
  --location="global"

刪除流程

# 先刪除裡面的 entry
gcloud certificate-manager maps entries delete jjl-game-wildcard \
  --map="jjl-game-map" \
  --location="global"

# 刪除 map 本身
gcloud certificate-manager maps delete jjl-game-map --location="global"


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: h5
  namespace: prod
  annotations:
    kubernetes.io/ingress.class: gce
    kubernetes.io/ingress.global-static-ip-name: ingress-369-global-main
    # networking.gke.io/certmap: "jjl-game-map" # 在gke cert manager 中設定的 cert-map
    networking.gke.io/certmap: projects/december12-482207/locations/global/certificateMaps/jjl-game-map
spec:
  rules:
    - host: jjl-game.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: frontend
              port:
                number: 80
        - path: /static
          pathType: Prefix
          backend:
            service:
              name: php-api
              port:
                number: 80
        - path: /api
          pathType: Prefix
          backend:
            service:
              name: php-api
              port:
                number: 80
        - path: /payment
          pathType: Prefix
          backend:
            service:
              name: php-api
              port:
                number: 80
        - path: /live_api
          pathType: Prefix
          backend:
            service:
              name: php-api
              port:
                number: 80
    - host: 3961kg0.jjl-game.com
      http:
        paths:
        - path: /backend
          pathType: Prefix
          backend:
            service:
              name: php-backend
              port:
                number: 80
        - path: /static
          pathType: Prefix
          backend:
            service:
              name: php-backend
              port:
                number: 80

Published by:

Kepler

You might also like...

30
Dec

GCP GKE 掛載 cloud storage

4 min read
22
Dec

K8s deploy 常用範本

1 min read
20
Aug

K8s 常用指令

1 min read
28
Mar

GCP 防火牆port / 全局ssh key

2 min read
19
Mar

Kubernetes Helm

2 min read