Securing Ingress Traffic with GKE Managed Certificates

Question

Pulumi · Accepted Answer

To secure ingress traffic with GKE managed certificates in a Kubernetes cluster, you would typically use a combination of resources:

1. **[Kubernetes Ingress](https://www.pulumi.com/registry/packages/kubernetes/api-docs/networking.k8s.io/v1/ingress/)**: This defines how external HTTP(S) traffic should be routed to the services within your cluster.

2. **[Google Managed Certificates](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs)**: On GKE, Google provides a way to manage SSL certificates for your services automatically through Kubernetes annotations. However, Google's Managed Certificates are not directly represented as Pulumi resources. Instead, you would use annotations in the Kubernetes Ingress resource to request a managed certificate.

3. **[Kubernetes Service](https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/service/)**: This is used to expose your application that runs on a set of Pods as a network service. When used with an Ingress, it helps in routing traffic to these Pods.

Here's a program that sets up an Ingress in a GKE cluster, which uses Google's Managed Certificates:

```python
import pulumi
from pulumi_gcp import container
import pulumi_kubernetes as k8s
from pulumi_kubernetes.networking.v1 import Ingress
from pulumi_kubernetes.core.v1 import Service

# Set up a GKE cluster (if not already in place)
cluster = container.Cluster("gke-cluster")

# The following part assumes that you already have a deployment in place
# and you're exposing it via an ingress to manage the traffic to the deployment.

# Define the Kubernetes service for your deployment.
service = Service(
    "my-service",
    metadata=k8s.meta.v1.ObjectMetaArgs(
        name="my-service",
        labels={"app": "myapp"},
    ),
    spec=k8s.core.v1.ServiceSpecArgs(
        selector={"app": "myapp"},
        ports=[k8s.core.v1.ServicePortArgs(
            port=80,
            target_port=80,
        )],
    )
)

# Define the Ingress resource that uses Google's Managed Certificate.
ingress = Ingress(
    "my-ingress",
    metadata=k8s.meta.v1.ObjectMetaArgs(
        name="my-ingress",
        annotations={
            # This annotation specifies the name of the ManagedCertificate resource
            # the Ingress should use. You would create this resource in GKE, and the
            # name should match the resource's name.
            "networking.gke.io/managed-certificates": "my-certificate",
        },
    ),
    spec=k8s.networking.v1.IngressSpecArgs(
        rules=[k8s.networking.v1.IngressRuleArgs(
            host="example.com",  # Replace with your domain
            http=k8s.networking.v1.HTTPIngressRuleValueArgs(
                paths=[k8s.networking.v1.HTTPIngressPathArgs(
                    path="/",
                    path_type="Prefix",
                    backend=k8s.networking.v1.IngressBackendArgs(
                        service=k8s.networking.v1.IngressServiceBackendArgs(
                            name=service.metadata.name,
                            port=k8s.networking.v1.ServiceBackendPortArgs(
                                number=80,
                            ),
                        ),
                    ),
                )],
            ),
        )],
        # TLS configuration is simplified by managed certificates.
        # You point to the ManagedCertificate resource you created
        # and Google will automatically handle the encryption.
        tls=[k8s.networking.v1.IngressTLSArgs(
            hosts=["example.com"],  # Replace with your domain
        )],
    )
)

pulumi.export('ingress_endpoint', ingress.status.load_balancer.ingress[0].ip)
```

In the program above:

- The `Service` resource defines how to reach the application pods using selectors based on labels assigned to the Pods.
- The `Ingress` resource is used to configure the external access to your services by creating an HTTP(S) load balancer in GKE.
- The annotations for the `Ingress` resource include a reference to a `ManagedCertificate`. This certificate should be created separately within GKE (typically via `kubectl`) as Pulumi does not have a direct resource for this. When the GKE control plane sees this annotation, it provisions an SSL certificate and configures the Ingress for SSL termination with this certificate.
- After provisioning, you can obtain the IP address of the Ingress using an export statement, allowing you to configure your DNS records to point to your GKE-managed services.

Keep in mind that SSL provisioning might take some time as it involves generating a certificate and propagating it through the global network.