kubernetes on gcp create an https Load Balancer with yaml

Question

In my project I have to create a kubernetes cluster on my GCP with an External Load Balancer service for my django app. I create it with this yaml file:

apiVersion: v1
kind: Service
metadata:
  name: mydjango
  namespace: test1
  labels:
    app: mydjango
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 8000
  selector:
    app: mydjango
  type: LoadBalancer

I apply it and all work is done on my cluster except for the fact that kubernetes create a Load balancer using http.

How can I modify my yaml to create the same Load Balancer using https instead http using my google managed certs?

So many thanks in advance Manuel

Answer 1

If you want to serve HTTPS, you need a certificate. For that, you can follow this documentation with Google managed certificates.

You also have to define an ingress to route the traffic.

Answer 2

I whole wholeheartedly agree with the answer provided by @guillaume blaquiere.

You should use following guide to have the HTTPS connection to your Django.

I would also like to add some additional information/resources to the whole question.

---

Addressing the following statement:

I apply it and all work done on my cluster except for the fact that kubernetes create a Load balancer using http.

In fact you are creating a network load balancer (layer 4), (TCP/UDP):

When you create a Service of type LoadBalancer, a Google Cloud controller wakes up and configures a network load balancer in your project. The load balancer has a stable IP address that is accessible from outside of your project.

-- Cloud.google.com: Kubernetes Engine: Docs: Concepts: Service: Service of type LoadBalancer

This type of a load balancer will forward the packets to its destination but it won't be able to accomplish things like path based routing or SSL termination.

To have the ability to connect to your Django app with HTTPS you can:

• Use GKE Ingress for HTTP(S) Load Balancing (as pointed by guillaume blaquiere)

In the whole process you will be using an Ingress resource to forward the traffic to the specific backend. Your Ingress controller will also be responsible for handling SSL.

A side note!

I'd reckon you could change the Service of type LoadBalancer to a Service of type NodePort.

You final Ingress definition will look similar to the one below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: INGRESS_NAME
  namespace: test1
  annotations:
    kubernetes.io/ingress.global-static-ip-name: ADDRESS_NAME
    networking.gke.io/managed-certificates: CERTIFICATE_NAME
    kubernetes.io/ingress.class: "gce"
spec:
  defaultBackend:
    service:
      name: mydjango
      port:
        number: 8080

Alternatively you can:

• Use different Ingress controller like nginx-ingress and add the certificate to handle the HTTPS either by (this will not use Google managed certificate):
  • Kubernetes.github.io: Ingress nginx: User guide: TLS
  • Cert-manager.io: Docs: Installation: Kubernetes

---

Additional resources:

• Kubernetes.io: Docs: Concepts: Services networking: Ingress

I'd reckon you could also take a look on this answer (on how the communication is happening with nginx-ingress):

• Stackoverflow.com: Questions: How NGINX Ingress controller back-end protocol annotation works in path based routing?