arrow_back

Deploy a Web App on GKE with HTTPS Redirect using Lets Encrypt

加入 登录

Deploy a Web App on GKE with HTTPS Redirect using Lets Encrypt

1 个小时 5 积分

GSP269

Google Cloud self-paced labs logo

Introduction

GKE does not provide a managed HTTPS offering, so it can be a bit daunting trying to take on the task of obtaining a valid TLS certificate without prior experience. You will need to find a Certificate Authority (CA) to provide a browser-trusted certificate and you need a way to manage those certificates.

With Let's Encrypt, you have access to a free, automated, and open certificate authority (CA), run for the public's benefit. Let's Encrypt provides a browser-trusted certificate for your web services. In combination with cert-manager, a Kubernetes add-on, the management and issuance of TLS certificates from Let's Encrypt will be completely automated.

Since GKE also lacks built-in HTTP to HTTPs redirect for Google Cloud Load Balancers (GCLB), an NGINX ingress will be deployed to handle HTTP to HTTPs redirect.

What you will build

In this lab, you're going to deploy a containerized web app in a GKE cluster with HTTPS using a browser-trusted TLS certificate and NGINX to route all HTTP traffic to HTTPS. Google Cloud Endpoints is used for its ability to dynamically provision DNS entries under cloud.goog DNS domain.

What you'll learn

In this lab you'll learn how to do the following:

  • Deploy a containerized web app

  • Set up an NGINX ingress for HTTP to HTTPS redirect

  • Install a cert-manager into a cluster to automate getting TLS/SSL certificates

  • Deploy/modify an ingress with TLS enabled

What you'll need

  • A recent version of Chrome is recommended
  • Basic knowledge of Linux CLI and gcloud

This lab is focused on GKE deployment and management. Non-relevant concepts and code blocks are glossed over and are provided for you to simply copy and paste.

Setup

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
  2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.
  3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

  4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Navigation menu icon

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

  1. Click Activate Cloud Shell Activate Cloud Shell icon at the top of the Google Cloud console.

  2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. The output contains a line that declares the PROJECT_ID for this session:

Your Cloud Platform project in this session is set to YOUR_PROJECT_ID

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

  1. (Optional) You can list the active account name with this command:

gcloud auth list

Output:

ACTIVE: * ACCOUNT: student-01-xxxxxxxxxxxx@qwiklabs.net To set the active account, run: $ gcloud config set account `ACCOUNT`
  1. (Optional) You can list the project ID with this command:

gcloud config list project

Output:

[core] project = <project_ID>

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.

Task 1. Download the source code

  1. In Cloud Shell, download the source code for the lab:

curl -LO https://storage.googleapis.com/spls/gsp269/gke-tls-lab-2.tar.gz
  1. Unpack the file to your local system and navigate to the source code directory:

tar zxfv gke-tls-lab-2.tar.gz cd gke-tls-lab

Task 2. Configure Cloud endpoints

Allocate a static IP

  1. First, allocate a static IP in the Google Cloud region our cluster resides using the following command:

gcloud compute addresses create endpoints-ip --region us-central1
  1. Verify an address is allocated:

gcloud compute addresses list

The IP address in the output is the allocated IP address. Record this IP address as you will use it throughout the lab.

Click Check my progress to verify the objective. Allocate a Static IP

Launch the Cloud Shell code editor

In this lab you'll view and edit files. You can use the shell editors that are installed on Cloud Shell, such as nano or vim, or use the Cloud Shell code editor. This lab uses the Cloud Shell code editor.

  1. Launch the Cloud Shell code editor by clicking on the Open Editor icon.
  2. You may need to click on Open in a new window link to launch the code editor in a new tab.

Open Editor icon

Update openapi.yaml

  1. In the left pane in the code editor, navigate to gke-tls-lab/openapi.yaml.

  2. Replace [MY-STATIC-IP] with the allocated IP address.

  3. Find your Project ID in the Connection Details section of your lab. The Lab Details panel displaying the username, password, and GCP project ID

  4. In the code, replace all instances of [MY-PROJECT] with your Project ID and save the file.

Deploy the Cloud endpoints

  • Click on Open Terminal and run the following command to deploy to Cloud Endpoints:

gcloud endpoints services deploy openapi.yaml

Task 3. Create a Kubernetes engine cluster

  • In the command line, create a cluster by running the following command:

gcloud container clusters create cl-cluster --zone us-central1-f

It may take a few minutes to complete.

Authentication credentials for the cluster

You need authentication credentials to interact with the cluster.

  • Get authentication credentials:

gcloud container clusters get-credentials cl-cluster --zone us-central1-f

Set up role-based access control

To be able to deploy to the cluster, you need the proper permissions.

  • Assign yourself the cluster-admin role by running the following command:

kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole cluster-admin --user $(gcloud config get-value account)

Click Check my progress to verify the objective. Create a Kubernetes Engine Cluster

Task 4. Add Helm repo

Helm is a Kubernetes package-manager that helps you manage Kubernetes applications that we will use in the lab to install our NGINX ingress and Let's Encrypt.

Cloud Shell comes prepackaged with Helm, so you only need to add the repository which holds the Nginx ingress and Let's Encrypt charts.

  1. Add the Nginx Stable chart repository:

helm repo add nginx-stable https://helm.nginx.com/stable
  1. Now update Helm's chart repositories:

helm repo update

Task 5. Install NGINX ingress

You will deploy an NGINX ingress using Helm to handle our HTTP to HTTPS redirect when configure our web app for HTTPS to ensure the user always has a secure connection to our app.

  • Install the NGINX ingress using Helm by running the following command. Replace [MY-STATIC-IP] with the allocated IP address you recorded in a previous section:

helm install nginx-stable/nginx-ingress --set controller.service.loadBalancerIP="[MY-STATIC-IP]",rbac.create=true --generate-name Note: You can retrieve the allocated IP address by running: gcloud compute addresses list.

Click Check my progress to verify the objective. Install NGINX Ingress

Task 6. Deploy "Hello World" app

Now that the cluster is created, you can deploy the containerized "hello world" web app.

Update configmap.yaml

The file configmap.yaml contains the environment variable used by Cloud Endpoints.

  1. In the code editor, navigate to configmap.yaml and replace [MY-PROJECT] with your Project ID.

  2. Save the file.

Deploy web app to cluster

  1. Run the following commands to deploy:

kubectl apply -f configmap.yaml kubectl apply -f deployment.yaml

Now, we need to expose our deployment.

  1. We are going to expose our web app by first attaching a NodePort service by running the following command:

kubectl apply -f service.yaml Note: With our service created, we can now deploy an ingress to create a Google Cloud Load Balancer to reach our service externally. The ingress will include the following annotation:

kubernetes.io/ingress.class: nginx

This annotation will tell Kubernetes not to create a Google Cloud Load Balancer and to use our NGINX ingress controller instead.

Update ingress.yaml

  1. In the code editor, navigate to ingress.yaml and replace all instances [MY-PROJECT] with your Project ID.

  2. Save the file.

Apply the ingress and test

  1. In the command line, apply the ingress:

kubectl apply -f ingress.yaml Note: It might take 5-10 minutes for the ingress to be properly provisioned.
  1. Test the application. Open a new browser window and connect to the address below, replacing [MY-PROJECT] with your Project ID:

http://api.endpoints.[MY-PROJECT].cloud.goog

You have successfully deployed the web app when you see the "Hello, world" message, version, and hostname displayed in the browser.

Now to configure the web app for HTTPS!

Click Check my progress to verify the objective. Deploy "Hello World" App

Task 7. Set up HTTPS

We will install cert-manager and configure Let's Encrypt as our certificate issuer to obtain a browser-trusted TLS certificates that can be used to secure our application with HTTPS, and configure our existing esp-ingress to handle only HTTPS requests.

Set up Let's Encrypt

We will use Helm to install cert-manager.

  1. Run the following commands to do so:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.crds.yaml kubectl create namespace cert-manager helm repo add jetstack https://charts.jetstack.io helm repo update helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.8.0
  1. Verify that cert-manager was installed by running the following command:

kubectl get pods --namespace cert-manager

You should see a similar output:

NAME READY STATUS RESTARTS cert-manager-5c6866597-zw7kh 1/1 Running 0 cert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0
  1. Run the following command in the Cloud Shell to set your email address as an environment variable, replacing <YOUR_QWIKLABS_ID> with the username found in the connection details panel:

export EMAIL=<YOUR_QWIKLABS_ID>

Now we will deploy Let's Encrypter issuer to issue TLS certificates.

  1. Deploy the Issuer manifest using the following command:

cat letsencrypt-issuer.yaml | sed -e "s/email: ''/email: $EMAIL/g" | kubectl apply -f- Note: It can take a few minutes for Cert Manager to fully install. If you see errors from Cert Manager components wait a few minutes and retry this command.

Click Check my progress to verify the objective. Set Up HTTPS

Update certificate.yaml

  1. In the left pane in the code editor, navigate to gke-tls-lab/certificate.yaml.

  2. Replace all instances of [MY-PROJECT] with your Project ID.

Reconfigure ingress for HTTPS

  • We will now configure our existing esp-ingress with TLS. This is done by deploying the ingress modified version of our ingress.yaml, which is ingress-tls.yaml.
Note: The file, ingress-tls.yaml modifies the ingress with the following additional annotations and modifications to the spec key:

annotations:

...

cert-manager.io/cluster-issuer: letsencrypt-prod

ingress.kubernetes.io/ssl-redirect: "true"

spec:

tls:

- hosts:

- api.endpoints.[MY-PROJECT].cloud.goog

secretName: esp-tls

The annotations will tell cert-manager to begin automating the process of acquiring the required TLS certificate from Let's Encrypt, and will tell our NGINX ingress to redirect all HTTP traffic to HTTPS. The spec will include a "tls" key containing our hosts and secretName.

Update ingress-tls.yaml

  1. Navigate to ingress-tls.yaml. Rename all instances of [MY-PROJECT] with your Project ID.
  1. And now save the ingress-tls.yaml file.

  2. From the command line, apply the changes to esp-ingress:

kubectl apply -f ingress-tls.yaml
  1. Once again, you can check the status by running the following command:

kubectl describe ingress esp-ingress

You should see output similar to the following:

Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal CREATE 10m nginx-ingress-controller Ingress default/esp-ingress Normal UPDATE 23s (x2 over 10m) nginx-ingress-controller Ingress default/esp-ingress Note: It might take a few minutes for the ingress to be properly provisioned.
  1. Test the application by connecting to the address below, replacing [MY-PROJECT] with your Project ID:

https://api.endpoints.[MY-PROJECT].cloud.goog
  1. Now, look at the address bar and you will notice that you are now utilizing a secure, encrypted HTTPS connection with a browser-trusted certificate!
Note: It may take a couple of minutes for the certificate to be issued. If the connection does not report that it is secured using a Lets Encrypt certificate wait a few minutes and refresh the page.

Congratulations!

You deployed a "Hello Web" web app in a GKE cluster with HTTPS. You configured the app to use a browser-trusted TLS certificate and NGINX to route all HTTP traffic to HTTPS.

Finish your quest

This self-paced lab is part of the Kubernetes Solutions and Website and Web Applications quests. A quest is a series of related labs that form a learning path. Completing a quest earns you a badge to recognize your achievement. You can make your badge or badges public and link to them in your online resume or social media account. Enroll in any quest that contains this lab and get immediate completion credit. Refer to the Google Cloud Skills Boost catalog for all available quests.

Take your next lab

Learn more about GKE with NGINX Ingress Controller on Google Kubernetes Engine or Running Dedicated Game Servers in Google Kubernetes Engine.

Learn more about Kubernetes by taking a Quest. For the advanced user, try Kubernetes in the Google Cloud. For the expert user, try Kubernetes Solutions.

Next steps / Learn more

For more information, check out these resources:

To learn more about NGINX, see NGINX and the NGINX Blog.

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual last updated September 15, 2022

Lab last tested July 15, 2022

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.