1. Securing Ingress Traffic with GKE Managed Certificates


    To secure ingress traffic with GKE managed certificates in a Kubernetes cluster, you would typically use a combination of resources:

    1. Kubernetes Ingress: This defines how external HTTP(S) traffic should be routed to the services within your cluster.

    2. Google Managed Certificates: On GKE, Google provides a way to manage SSL certificates for your services automatically through Kubernetes annotations. However, Google's Managed Certificates are not directly represented as Pulumi resources. Instead, you would use annotations in the Kubernetes Ingress resource to request a managed certificate.

    3. Kubernetes Service: This is used to expose your application that runs on a set of Pods as a network service. When used with an Ingress, it helps in routing traffic to these Pods.

    Here's a program that sets up an Ingress in a GKE cluster, which uses Google's Managed Certificates:

    import pulumi from pulumi_gcp import container import pulumi_kubernetes as k8s from pulumi_kubernetes.networking.v1 import Ingress from pulumi_kubernetes.core.v1 import Service # Set up a GKE cluster (if not already in place) cluster = container.Cluster("gke-cluster") # The following part assumes that you already have a deployment in place # and you're exposing it via an ingress to manage the traffic to the deployment. # Define the Kubernetes service for your deployment. service = Service( "my-service", metadata=k8s.meta.v1.ObjectMetaArgs( name="my-service", labels={"app": "myapp"}, ), spec=k8s.core.v1.ServiceSpecArgs( selector={"app": "myapp"}, ports=[k8s.core.v1.ServicePortArgs( port=80, target_port=80, )], ) ) # Define the Ingress resource that uses Google's Managed Certificate. ingress = Ingress( "my-ingress", metadata=k8s.meta.v1.ObjectMetaArgs( name="my-ingress", annotations={ # This annotation specifies the name of the ManagedCertificate resource # the Ingress should use. You would create this resource in GKE, and the # name should match the resource's name. "networking.gke.io/managed-certificates": "my-certificate", }, ), spec=k8s.networking.v1.IngressSpecArgs( rules=[k8s.networking.v1.IngressRuleArgs( host="example.com", # Replace with your domain http=k8s.networking.v1.HTTPIngressRuleValueArgs( paths=[k8s.networking.v1.HTTPIngressPathArgs( path="/", path_type="Prefix", backend=k8s.networking.v1.IngressBackendArgs( service=k8s.networking.v1.IngressServiceBackendArgs( name=service.metadata.name, port=k8s.networking.v1.ServiceBackendPortArgs( number=80, ), ), ), )], ), )], # TLS configuration is simplified by managed certificates. # You point to the ManagedCertificate resource you created # and Google will automatically handle the encryption. tls=[k8s.networking.v1.IngressTLSArgs( hosts=["example.com"], # Replace with your domain )], ) ) pulumi.export('ingress_endpoint', ingress.status.load_balancer.ingress[0].ip)

    In the program above:

    • The Service resource defines how to reach the application pods using selectors based on labels assigned to the Pods.
    • The Ingress resource is used to configure the external access to your services by creating an HTTP(S) load balancer in GKE.
    • The annotations for the Ingress resource include a reference to a ManagedCertificate. This certificate should be created separately within GKE (typically via kubectl) as Pulumi does not have a direct resource for this. When the GKE control plane sees this annotation, it provisions an SSL certificate and configures the Ingress for SSL termination with this certificate.
    • After provisioning, you can obtain the IP address of the Ingress using an export statement, allowing you to configure your DNS records to point to your GKE-managed services.

    Keep in mind that SSL provisioning might take some time as it involves generating a certificate and propagating it through the global network.