Closed krzykwas closed 5 years ago
berstend
commented
5 years ago Hey @krzykwas - just came across this project and was wondering if it can be used already?
Haven't tried it yet as I noticed the comments in another issue indicating it's not fully implemented yet.
Would be great to mention this in the readme, if that's the case. :-)
markfermor
commented
5 years ago I'm in the same boat. This looks really promising!
brettcurtis
commented
5 years ago I was able to get this working today - it's exactly what I'm after, looking good !
michaelheyvaert
commented
5 years ago Hi @krzykwas @brettcurtis do you still need to reach out to manjotpahwa to try this out?
brettcurtis
commented
5 years ago I did not.
On Mon, Feb 25, 2019, 6:58 AM michaelheyvaert notifications@github.com wrote:
Hi @krzykwas https://github.com/krzykwas @brettcurtis https://github.com/brettcurtis do you still need to reach out to manjotpahwa to try this out?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GoogleCloudPlatform/gke-managed-certs/issues/9#issuecomment-466985399, or mute the thread https://github.com/notifications/unsubscribe-auth/ABiRdAM-ppfYaGYZuWaVvmLsSAQDR0FRks5vQ8_1gaJpZM4aDJUt .
bery
commented
5 years ago Would you be willing to share the steps that you have taken? So we, who are keen to try the certs out, do not have to investigate :)
brettcurtis
commented
5 years ago I'll try to write something up today.
brettcurtis
commented
5 years ago I didn't have time to write anything up but was able to take make this public: https://github.com/lzysh/ops-tf-module-k8s
If you follow the README.md at the end of the day you'll have a cluster running where you will only need to add this:
---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: nginx-example-tls
namespace: nginx-example
spec:
domains:
- host.domain.com
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-example
namespace: nginx-example
annotations:
kubernetes.io/ingress.allow-http: "false"
networking.gke.io/managed-certificates: "nginx-example-tls"
spec:
rules:
- host: host.domain.com
http:
paths:
- path: /*
backend:
serviceName: nginx-example-http
servicePort: 80...to get both dns and ssl on your ingress resources. I can try to help more when i have time if this is interesting to anyone.
davidebelloni
commented
5 years ago Hi, I've followed the README and at the moment I've an Ingress with this alert (web console):
This load balancer has no frontend configured
The ingress is:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: orchestrator-engine-dashboard-ingress
labels:
app: orchestrator-engine-dashboard
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: "orchestrator-test-addr"
networking.gke.io/managed-certificates: "orchestrator-test"
spec:
backend:
serviceName: frontend-service
servicePort: 80
rules:
- http:
paths:
- path: /*
backend:
serviceName: frontend-service
servicePort: 80
- path: /rest/*
backend:
serviceName: backend-service
servicePort: 80Cluster version: 1.11.7-gke.6 Node Pool scopes:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
allowedHostPaths:
- pathPrefix: "/etc/ssl/certs"
- pathPrefix: "/usr/share/ca-certificates"
- pathPrefix: "/var/log/managed_certificate_controller.log"
readOnlyRootFilesystem: truemanaged-certificate-controller resources (CRD, ServiceAccount, RoleBinding and Depoyment) are applied in a separate namespace.
I'm missing something?
wbyoung
commented
5 years ago I managed to get this working today after reviewing this issue and various other issues on this repository. Here's what I had to do:
A few variables that you'll need to customize that will be used throughout:
PROJECT_ID="account-id-1234"
ACCOUNT_EMAIL="your-email@wherever.com"Download the CRD and controller manifests and define a few patches to use with the controller via Kustomize (note that the config files are all ending up in a sub-directory called gke and that we leave that at the end of these commands).
mkdir gke; cd gke
curl --remote-name-all \
https://raw.githubusercontent.com/GoogleCloudPlatform/gke-managed-certs/v0.3.0/deploy/managedcertificates-crd.yaml \
https://raw.githubusercontent.com/GoogleCloudPlatform/gke-managed-certs/v0.3.0/deploy/managed-certificate-controller.yaml
cat > managed-certificate-controller-secrets.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: managed-certificate-controller
spec:
template:
spec:
containers:
- name: managed-certificate-controller
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/var/run/credentials/service-account-key.json"
volumeMounts:
- name: google-application-credentials
mountPath: "/var/run/credentials"
readOnly: true
volumes:
- name: google-application-credentials
secret:
secretName: gke-managed-certs-credentials
EOF
cat > kustomization.yml <<EOF
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- managedcertificates-crd.yaml
- managed-certificate-controller.yaml
patches:
- managed-certificate-controller-secrets.yaml
EOF
cd ..The above patch, managed-certificate-controller-secrets.yml, sets up so a volume will be mounted to access the secret file, and an environment variable has been defined that points to the file (as was shown is possible by @bmhatfield here). If you don't really know much about Kustomize, you can just edit the controller manifest manually. Here's the full manifest w/ the patch applied if this is confusing to you.
The next block of commands will take care of the following:
gcloud iam service-accounts create gke-managed-certs \
--display-name "GKE Managed Certs"
gcloud iam roles create gke_managed_certs_role \
--project $PROJECT_ID \
--title "GKE Managed Certs Role" \
--description "Read & write permissions for GKE Managed Certs" \
--permissions compute.sslCertificates.create,compute.sslCertificates.delete,compute.sslCertificates.get,compute.sslCertificates.list \
--stage BETA
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:gke-managed-certs@$PROJECT_ID.iam.gserviceaccount.com \
--role projects/$PROJECT_ID/roles/gke_managed_certs_role
gcloud iam service-accounts keys create ./service-account-key.json \
--iam-account gke-managed-certs@$PROJECT_ID.iam.gserviceaccount.comCreate the container and get the kubectl context all set up as normal:
gcloud container clusters create \
--machine-type=g1-small \
--num-nodes=2 \
--disk-size=10GB \
ssl-test
gcloud container clusters get-credentials ssl-testNow start sending things off to your cluster via kubectl:
cluster-admin role to the executing user as explained here.kustomize.Ingress w/ the SSL annotations.kubectl create secret generic gke-managed-certs-credentials \
--from-file=./service-account-key.json
kubectl create clusterrolebinding admin-binding \
--clusterrole=cluster-admin \
--user=$ACCOUNT_EMAIL
# this creates the CRD & controller w/ our patch
kustomize build ./gke | kubectl apply -f -
# deply a simple app w/ certs
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-world
spec:
replicas: 3
selector:
matchLabels:
app: hello-world
template:
metadata:
labels:
app: hello-world
spec:
containers:
- name: hello-world
image: gcr.io/google-samples/hello-app:1.0
---
apiVersion: v1
kind: Service
metadata:
name: hello-world
spec:
type: NodePort
selector:
app: hello-world
ports:
- protocol: TCP
port: 8080
---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: ssl-test
spec:
domains:
- ssl-test.my-domain.com
---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: ssl-test2
spec:
domains:
- ssl-test2.my-domain.com
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ssl-test
annotations:
networking.gke.io/managed-certificates: "ssl-test,ssl-test2"
spec:
backend:
serviceName: hello-world
servicePort: 8080
EOF
kubectl get ingress -wNow wait for your load balancer to be created & assigned an external IP address. At that point, you can update your DNS records to point to that IP & wait for the SSL cert to become active.
If you want to tear this down so you don't get billed:
kubectl delete service hello-world # allows the load balancer to be deleted
gcloud container clusters delete ssl-testNote that this does not delete the service account/role/keys that were created. Feel free to do that if you wish.
davidebelloni
commented
5 years ago Hi, I've found my problem. I had RoleBinding instead ClusterRoleBinding :(
Thanks
iameli
commented
5 years ago @wbyoung Thank you very much, that worked great! One tweak I made — I didn't have the flag to create new roles on my particular Google Cloud project, so instead I used the slightly-broader roles/compute.loadBalancerAdmin role.
krzykwas
commented
5 years ago Managed Certificates is a Beta feature, so this issue is no longer up-to-date. I extracted the guide by @wbyoung into a separate issue.
Please reach out to manjotpahwa@google.com to learn more about alpha Managed Certificates in GKE.