1. Answers
  2. Configure Kubernetes ManagedCertificate on GKE

How do I configure a Kubernetes networking.gke.io managedcertificate on GKE?

In this guide, we will configure a Kubernetes networking.gke.io/ManagedCertificate on Google Kubernetes Engine (GKE) using Pulumi. Managed certificates are a way to automate the management of SSL/TLS certificates for your Kubernetes applications. They are managed by Google Cloud and are automatically renewed before expiration.

Key Points

  • Create a GKE cluster.
  • Deploy a Kubernetes application.
  • Configure a ManagedCertificate resource.
  • Associate the managed certificate with an Ingress resource.

Pulumi Program

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";

// Create a GKE cluster
const cluster = new gcp.container.Cluster("gke-cluster", {
    initialNodeCount: 1,
    minMasterVersion: "1.19",
    nodeVersion: "1.19",
    nodeConfig: {
        machineType: "e2-medium",
    },
});

// Export the kubeconfig required to connect to the cluster
export const kubeconfig = pulumi.interpolate`
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${cluster.masterAuth.clusterCaCertificate}
    server: https://${cluster.endpoint}
  name: gke-cluster
contexts:
- context:
    cluster: gke-cluster
    user: gke-cluster
  name: gke-cluster
current-context: gke-cluster
kind: Config
preferences: {}
users:
- name: gke-cluster
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;

// Create a Kubernetes provider instance using the kubeconfig
const k8sProvider = new k8s.Provider("k8s-provider", {
    kubeconfig: kubeconfig,
});

// Deploy a simple NGINX application
const appLabels = { app: "nginx" };
const deployment = new k8s.apps.v1.Deployment("nginx-deployment", {
    spec: {
        selector: { matchLabels: appLabels },
        replicas: 1,
        template: {
            metadata: { labels: appLabels },
            spec: {
                containers: [{
                    name: "nginx",
                    image: "nginx",
                    ports: [{ containerPort: 80 }],
                }],
            },
        },
    },
}, { provider: k8sProvider });

// Create a Kubernetes service for the NGINX deployment
const service = new k8s.core.v1.Service("nginx-service", {
    spec: {
        type: "LoadBalancer",
        selector: appLabels,
        ports: [{ port: 80, targetPort: 80 }],
    },
}, { provider: k8sProvider });

// Create a ManagedCertificate resource
const managedCertificate = new k8s.apiextensions.CustomResource("managed-cert", {
    apiVersion: "networking.gke.io/v1",
    kind: "ManagedCertificate",
    metadata: {
        name: "managed-cert",
    },
    spec: {
        domains: ["example.com"], // Replace with your domain
    },
}, { provider: k8sProvider });

// Create an Ingress resource to use the managed certificate
const ingress = new k8s.networking.v1.Ingress("nginx-ingress", {
    metadata: {
        annotations: {
            "networking.gke.io/managed-certificates": "managed-cert",
        },
    },
    spec: {
        rules: [{
            host: "example.com", // Replace with your domain
            http: {
                paths: [{
                    path: "/",
                    pathType: "Prefix",
                    backend: {
                        service: {
                            name: service.metadata.name,
                            port: { number: 80 },
                        },
                    },
                }],
            },
        }],
    },
}, { provider: k8sProvider });

Summary

In this example, we created a GKE cluster and deployed an NGINX application. We then configured a ManagedCertificate resource for the domain example.com and associated it with an Ingress resource to manage SSL/TLS certificates automatically. This setup ensures that your application is served over HTTPS with certificates managed by Google Cloud.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up