Setting up HTTPS for GKE

To set up the NGINX Ingress Controller to support SSL termination, see the GKE Reference Architecture Ingress TLS Termination chapter.

Setting up an HTTPS Load Balancer

As an alternative, SSL termination can be setup at the Google Load Balancer level by creating a new/additional load balancer. The load balancer created during the installation of the NGINX ingress controller is a TCP load balancer and does not support HTTPS termination.

Information about setting up HTTP(S) load balancing can be found at HTTP(S) Load Balancing.

1) Get the NGINX Controller service port.

The new load balancer will be connected to the NGINX Controller. First, locate information about the current controller.

Get the service port number for TCP port 80. (nginx_service_port_80 = 30622 in the example below):

$ kubectl get svc -n ingress-nginx ingress-nginx
NAME            TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                                      AGE
ingress-nginx   LoadBalancer   10.23.243.53   35.196.134.177   80:30622/TCP,443:30216/TCP,50000:31462/TCP   27d

2) Create a new load balancer.

To create a new load balancer, go to the GCE Network services console.

  • Click on 'Create a load balancer'.

  • Select 'HTTPS Load Balancer'.

    • Give it a name.

    • Select 'Backend configuration' → 'Backend services' → 'Create a backend service'.

      • Give it a name.

      • Select the instance group of your cluster.

      • Set the port number to the ingress controller service port (nginx_service_port_80 we got previously).

      • Under 'Healthchecks', select the healthcheck for the ingress controller service port (nginx_service_port_80).

      • Click on 'Create'.

    • Select 'Frontend configuration'.

      • Give it a name.

      • Select Protocol HTTPS.

      • Under 'IP Address' select 'Create IP Address' to create a new static IP for the load balancer.

      • Under 'Certificates' Select your domain certificate if already uploaded or create a new certificate.

        • If creating a new certificate, upload the various parts of the certificate (information on how to create an SSL certificates ).

      • Click 'Done'.

    • Click 'Create'.

3) Optional: Remove load balancing for port 80 and 443 from NGINX load balancer.

Now that HTTPS access has been configured, you can remove access to the CloudBees CI cluster for port 80 and 443 via the NGINX load balancer.

  1. Open GCE Network services console.

  2. Select the NGINX load balancer.

  3. Select Edit.

  4. Select Frontend configuration.

  5. Delete the frontend configuration for port 80,443.

  6. Select Update.

Redirecting HTTP to HTTPS

Using HTTPS provides security to your incoming traffic. Please use HTTPS instead of HTTP.

By following the previous procedure, CloudBees CI is accessible either through HTTP or HTTPS. These steps redirect HTTP traffic to HTTPS.

  1. Copy and paste the following to a new file and save it in the current working directory as nginx-configuration-configmap-patch.yaml

    data:
      use-proxy-protocol: "true"
      http-snippet: |
        server {
          return 301 https://$host$request_uri;
        }
  2. Apply this patch using the command:

    kubectl patch configmap nginx-configuration -n ingress-nginx -p "$(cat nginx-configuration-configmap-patch.yaml)"