Setting up HTTPS for GKE

2 minute read

To set up the NGINX Ingress Controller to support SSL termination, see the GKE reference architecture Ingress TLS Termination chapter.

Setting up an HTTPS load balancer

As an alternative, SSL termination can be setup at the Google Load Balancer level by creating a new/additional load balancer. The load balancer created during the installation of the NGINX ingress controller is a TCP load balancer and does not support HTTPS termination.

Information about setting up HTTP(S) load balancing can be found at HTTP(S) Load Balancing.

  1. Get the NGINX Controller service port.

    The new load balancer will be connected to the NGINX Controller. First, locate information about the current controller.

    Get the service port number for TCP port 80. (nginx_service_port_80 = 30622 in the example below):

    $ kubectl get svc -n ingress-nginx ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx LoadBalancer 10.23.243.53 35.196.134.177 80:30622/TCP,443:30216/TCP,50000:31462/TCP 27d
  2. Create a new load balancer by going to the GCE Network services console.

    • Select Create a load balancer.

    • Select HTTPS Load Balancer.

      • Give it a name.

      • Select Backend configuration > Backend services > Create a backend service.

        • Give it a name.

        • Select the instance group of your cluster.

        • Set the port number to the ingress controller service port (nginx_service_port_80 we got previously).

        • Under Healthchecks, select the healthcheck for the ingress controller service port (nginx_service_port_80).

        • Select Create.

      • Select Frontend configuration.

        • Give it a name.

        • Select protocol HTTPS.

        • Under IP Address, select Create IP Address to create a new static IP for the load balancer.

        • Under Certificates, select your domain certificate if already uploaded or create a new certificate.

          • If creating a new certificate, upload the various parts of the certificate (information on how to create an SSL certificates).

        • Select Done.

      • Select Create.

  3. Optional: Remove load balancing for port 80 and 443 from NGINX load balancer.

    Now that HTTPS access has been configured, you can remove access to the CloudBees CI cluster for port 80 and 443 via the NGINX load balancer.

  4. Open GCE Network services console.

    1. Select the NGINX load balancer.

    2. Select Edit.

    3. Select Frontend configuration.

    4. Delete the frontend configuration for port 80,443.

    5. Select Update.

Redirecting HTTP to HTTPS

Using HTTPS provides security to your incoming traffic. Please use HTTPS instead of HTTP.

By following the previous procedure, CloudBees CI is accessible either through HTTP or HTTPS. These steps redirect HTTP traffic to HTTPS.

  1. Copy and paste the following to a new file and save it in the current working directory as nginx-configuration-configmap-patch.yaml.

    data: use-proxy-protocol: "true" http-snippet: | server { return 301 \https://$host$request_uri; }
  2. Apply this patch using the command:

    kubectl patch configmap nginx-configuration -n ingress-nginx -p "$(cat nginx-configuration-configmap-patch.yaml)"