1

I have created a NodeJS application using http/2 following this example:

Note: this application uses self-signed certificate until now.

We deployed it on GKE, and it is working until now. Here is how this simple architecture looks like:

enter image description here

Now, we want to start using real certificate, and don`t know where is the right place to put it.

Should we put it in pod (overriding self-signed certificate)?

Should we add a proxy on the top of this architecture to put the certificate in?

Tauseef Khan
  • 117
  • 6
Marcelo Dias
  • 409
  • 2
  • 18
  • Read this: https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer and this: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls – John Hanley Aug 30 '19 at 20:45

2 Answers2

1

In GKE you can use a ingress object to routing external HTTP(S) traffic to your applications in your cluster. With this you have 3 options:

  • Google-managed certificates
  • Self-managed certificates shared with GCP
  • Self-managed certificates as Secret resources

Check this guide for the ingress load balancing

David C
  • 365
  • 2
  • 8
0

The Client's SSL session terminates at the LB level, the self-signed certificates being used are just to encrypt communication between the LB and the Pods. So if you want the client to use your new valid certificate it needs to be at the LB level.

On a side note, having your application servers communicate with the LoadBalancer over HTTP will give you a performance boost. Since the LB is acting as a reverse proxy anyway.

You can read this article about LoadBalancing it's written by the author of HAProxy

B.Mouad
  • 151
  • 1
  • 5
  • 1
    Mouad, It is not mandatory using TLS/SSL work with NodeJS HTTP/2? Can you provide me some tutorial about configuring a LB for HTTP/2 in Gcloud, please? I tried this (https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-http2) but without success. – Marcelo Dias Aug 30 '19 at 18:50
  • 1
    Browsers require HTTPS for HTTP/2 but most servers don't. Plus the benefits to using HTTP/2 on backends are very low.. check this https://stackoverflow.com/questions/41637076/http2-with-node-js-behind-nginx-proxy answer it's very detailed and shares many of my thoughts. – B.Mouad Aug 30 '19 at 19:05