Home > OS >  Using HTTP2 with GKE and Google Managed Certificates
Using HTTP2 with GKE and Google Managed Certificates

Time:01-10

I am using an Ingress using Google-managed SSL certs mostly similar to what is described here:

https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs#setting_up_a_google-managed_certificate

However my backend service is a grpc service that is using HTTP2. According to the same documentation if I am using HTTP2 my backend needs to be "configured with SSL".

This sounds like I need a separate set of certificates for my backend service to configure it with SSL.

Is there a way to use the same Google managed certs here as well?

What are my other options here? I am using, Google managed certs for the Ingress not to manage any certs on my own, if I then use self signed certificates for my service, that kind of defeats the purpose.

CodePudding user response:

i don't think it's required to create SSL for the backend services if you are terminating the HTTPS at LB level. You can attach your certs to at LB level and the backed-end will be HTTPS > HTTP.

You might need to create SSL/TLS new cert in case there is diff version ssl-protocols: TLSv1.2 TLSv1.3, Cipher set in your ingress controller configmap which you are using Nginx ingress controller, Kong etc.

If you are looking for End to End HTTPS traffic definitely you need to create a cert for the backend service.

You can also create/manage the Managed certificate or Custom cert with Cert manager the K8s secret and mount to deployment which will be used further by the service, in that case, no need to manage or create the certs. Ingress will passthrough the HTTPS request to service directly.

In this case, it will be an end-to-end HTTPS setup.

Update :

Note: To ensure the load balancer can make a correct HTTP2 request to your backend, your backend must be configured with SSL. For more information on what types of certificates are accepted, see Encryption from the load balancer to the backends ." end to end tls seems to be a requirement for HTTP2

This is my site https://findmeip.com it's running on HTTP2 and terminating the SSL/TLS at the Nginx level only.

Definitely, it's good to go with the suggested practice so you can use the ESP option from the Google, setting GKE ingress ESP grpc stack.

https://cloud.google.com/endpoints/docs/openapi/specify-proxy-startup-options?hl=tr

If not want to use ESP check above suggested :

You can Mount Managed certificate to deployment which will be used further by the service, in that case, no need to manage or create the certs. In other words, cert-manager will create/manage/re-new SSL/TLS on behalf of you in K8s secret which will used by service.

CodePudding user response:

Google Managed Certificates can only be used for the frontend portion of the load balancer (aka client to LB). If you need encryption from the LB to the backends you will have use self-signed certificates or some other way to store said certificates on GKE as secrets and configuring the Ingress to connect to the backend using these secrets.

Like this https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-xlb#setting_up_https_tls_between_client_and_load_balancer

  • Related