How do I configure a Kubernetes networking.gke.io managedcertificate on GKE?
In this guide, we will configure a Kubernetes networking.gke.io/ManagedCertificate
on Google Kubernetes Engine (GKE) using Pulumi. Managed certificates are a way to automate the management of SSL/TLS certificates for your Kubernetes applications. They are managed by Google Cloud and are automatically renewed before expiration.
Key Points
- Create a GKE cluster.
- Deploy a Kubernetes application.
- Configure a
ManagedCertificate
resource. - Associate the managed certificate with an Ingress resource.
Pulumi Program
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
// Create a GKE cluster
const cluster = new gcp.container.Cluster("gke-cluster", {
initialNodeCount: 1,
minMasterVersion: "1.19",
nodeVersion: "1.19",
nodeConfig: {
machineType: "e2-medium",
},
});
// Export the kubeconfig required to connect to the cluster
export const kubeconfig = pulumi.interpolate`
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ${cluster.masterAuth.clusterCaCertificate}
server: https://${cluster.endpoint}
name: gke-cluster
contexts:
- context:
cluster: gke-cluster
user: gke-cluster
name: gke-cluster
current-context: gke-cluster
kind: Config
preferences: {}
users:
- name: gke-cluster
user:
auth-provider:
config:
cmd-args: config config-helper --format=json
cmd-path: gcloud
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
`;
// Create a Kubernetes provider instance using the kubeconfig
const k8sProvider = new k8s.Provider("k8s-provider", {
kubeconfig: kubeconfig,
});
// Deploy a simple NGINX application
const appLabels = { app: "nginx" };
const deployment = new k8s.apps.v1.Deployment("nginx-deployment", {
spec: {
selector: { matchLabels: appLabels },
replicas: 1,
template: {
metadata: { labels: appLabels },
spec: {
containers: [{
name: "nginx",
image: "nginx",
ports: [{ containerPort: 80 }],
}],
},
},
},
}, { provider: k8sProvider });
// Create a Kubernetes service for the NGINX deployment
const service = new k8s.core.v1.Service("nginx-service", {
spec: {
type: "LoadBalancer",
selector: appLabels,
ports: [{ port: 80, targetPort: 80 }],
},
}, { provider: k8sProvider });
// Create a ManagedCertificate resource
const managedCertificate = new k8s.apiextensions.CustomResource("managed-cert", {
apiVersion: "networking.gke.io/v1",
kind: "ManagedCertificate",
metadata: {
name: "managed-cert",
},
spec: {
domains: ["example.com"], // Replace with your domain
},
}, { provider: k8sProvider });
// Create an Ingress resource to use the managed certificate
const ingress = new k8s.networking.v1.Ingress("nginx-ingress", {
metadata: {
annotations: {
"networking.gke.io/managed-certificates": "managed-cert",
},
},
spec: {
rules: [{
host: "example.com", // Replace with your domain
http: {
paths: [{
path: "/",
pathType: "Prefix",
backend: {
service: {
name: service.metadata.name,
port: { number: 80 },
},
},
}],
},
}],
},
}, { provider: k8sProvider });
Summary
In this example, we created a GKE cluster and deployed an NGINX application. We then configured a ManagedCertificate
resource for the domain example.com
and associated it with an Ingress resource to manage SSL/TLS certificates automatically. This setup ensures that your application is served over HTTPS with certificates managed by Google Cloud.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.