README
¶
Managed Certificates in GKE
Managed Certificates in GKE simplify user flow in managing HTTPS traffic. Instead of manually acquiring an SSL certificate from a Certificate Authority, configuring it on the load balancer and renewing it on time, now it is only necessary to create a Managed Certificate k8s Custom Resource object and provide a domain for which you want to obtain a certificate. The certificate will be auto-renewed when necessary.
For that to work you need to run your cluster on a platform with Google Cloud Load Balancer, that is a cluster in GKE or your own cluster in GCP.
Installation
Prerequisites
- You need to use Kubernetes 1.10 or newer.
- Configure your domain example.com so that it points at the load balancer created for your cluster by Ingress.
Steps
To install Managed Certificates in your own cluster on GCP, you need to:
- Deploy the Managed Certficate CRD
$ kubectl create -f deploy/managedcertificates-crd.yaml
- Deploy the managed-certificate-controller
$ kubectl create -f deploy/managed-certificate-controller.yaml
Usage
- Create a Managed Certificate custom object, specifying a single non-wildcard domain not longer than 63 characters, for which you want to obtain a certificate:
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: example-certificate
spec:
domains:
- example.com
- Configure Ingress to use this custom object to terminate SSL connections:
kubectl annotate ingress [your-ingress-name] networking.gke.io/managed-certificates=example-certificate
If you need, you can specify more multiple managed certificates here, separating their names with commas.
Clean up
You can do the below steps in any order and doing even one of them will turn SSL off:
- Remove annotation from Ingress
kubectl annotate ingress [your-ingress-name] networking.gke.io/managed-certificates-
(note the minus sign at the end of annotation name)
- Tear down the controller
$ kubectl delete -f deploy/managed-certificate-controller.yaml
- Tear down the Managed Certificate CRD
$ kubectl delete -f deploy/managedcertificates-crd.yaml
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
e2e
|
|
|
pkg
|
|
|
apis/networking.gke.io/v1beta1
Package v1beta1 is v1beta1 version of the API.
|
Package v1beta1 is v1beta1 version of the API. |
|
clientgen/clientset/versioned
This package has the automatically generated clientset.
|
This package has the automatically generated clientset. |
|
clientgen/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
clientgen/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
clientgen/clientset/versioned/typed/networking.gke.io/v1beta1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
clientgen/clientset/versioned/typed/networking.gke.io/v1beta1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
clients
Package clients provides clients which are used to communicate with api server and GCLB.
|
Package clients provides clients which are used to communicate with api server and GCLB. |
|
clients/configmap
Package configmap provides operations for manipulating ConfigMap objects.
|
Package configmap provides operations for manipulating ConfigMap objects. |
|
clients/event
Package event provides operations for manipulating Event objects.
|
Package event provides operations for manipulating Event objects. |
|
clients/ssl
Package ssl provides operations for manipulating SslCertificate GCE resources.
|
Package ssl provides operations for manipulating SslCertificate GCE resources. |
|
config
Package config manages configuration of the whole application.
|
Package config manages configuration of the whole application. |
|
controller/binder
Package binder handles binding SslCertificate resources with load balancers via GCE-Ingress's pre-shared-cert annotation.
|
Package binder handles binding SslCertificate resources with load balancers via GCE-Ingress's pre-shared-cert annotation. |
|
controller/certificates
Package certificates contains helper methods for performing operations on SslCertificate and ManagedCertificate objects.
|
Package certificates contains helper methods for performing operations on SslCertificate and ManagedCertificate objects. |
|
controller/errors
Package errors defines errors occuring in controller's operations.
|
Package errors defines errors occuring in controller's operations. |
|
controller/metrics
Package metrics implements metrics for managed certificates.
|
Package metrics implements metrics for managed certificates. |
|
controller/sslcertificatemanager
Package sslcertificatemanager manipulates SslCertificate objects and communicates GCE API errors with Events.
|
Package sslcertificatemanager manipulates SslCertificate objects and communicates GCE API errors with Events. |
|
controller/state
Package stage stores controller state and persists it in a ConfigMap.
|
Package stage stores controller state and persists it in a ConfigMap. |
|
controller/sync
Package sync contains logic for transitioning ManagedCertificate between states, depending on the state of the cluster.
|
Package sync contains logic for transitioning ManagedCertificate between states, depending on the state of the cluster. |
|
flags
Package flags defines global controller flags
|
Package flags defines global controller flags |
|
utils/http
Package http provides utility functions for manipulating HTTP errors.
|
Package http provides utility functions for manipulating HTTP errors. |
|
utils/random
Package random contains utilities for generating random names.
|
Package random contains utilities for generating random names. |
|
utils/types
Package types defines helpers for manipulating types.
|
Package types defines helpers for manipulating types. |
Click to show internal directories.
Click to hide internal directories.