SSL termination in load balancer

419 views
Skip to first unread message

JohnP

unread,
Oct 8, 2016, 1:03:33 PM10/8/16
to Kubernetes user discussion and Q&A
Hi!

Thanks for a great product!

I've setup a cluster on GKE that will host multiple deployments/services, each with a different web site, for example desktop, mobile etc. At the moment the sites are exposed using the LoadBalancer that you can assign with kubectl (--type="LoadBalancer").

However, for production we want to use encrypted http. We were thinking of using LetsEncrypt. Preferably we can terminate the SSL at the load balancer. Each site will have multiple domain names registered, for example m.domain.se, m.domain.no, m.domain.de, m.domain.at etc will point at the mobile service. So as far as I can tell the options are:

1. Using external LB - https://cloud.google.com/compute/docs/load-balancing/http/
2. Setup HAProxy or similar

Anyone who can share some insights or experiences implementing either method. Pros, cons, hurdles?

// John

Quinn Comendant

unread,
Oct 8, 2016, 1:44:51 PM10/8/16
to kubernet...@googlegroups.com
I've been researching this, so I can point you to some things I've found:

> 1. Using external LB -
> https://cloud.google.com/compute/docs/load-balancing/http/

The GCE load balancers support SSL/TLS [1]. There is a cost for each load balancer [2], so if you'll have many end-points, you have to include in your budget.

> 2. Setup HAProxy or similar

If you won't actually need load balancing, a reverse proxy with SSL termination might be a better option. You can setup an Ingress Controller with automatic LetsEncrypt certificate management. Kube-lego [3] looks really good. Lost more info about Ingress Controllers under /contrib/ [4].

Let us know what you find.

[1] https://cloud.google.com/compute/docs/load-balancing/http/
[2] https://cloud.google.com/compute/pricing#lb
[3] https://github.com/jetstack/kube-lego/
[4] https://github.com/kubernetes/contrib/tree/master/ingress/controllers

Quinn

yaron...@apester.com

unread,
Nov 23, 2016, 5:57:13 AM11/23/16
to Kubernetes user discussion and Q&A
I am struggling right now with the concept of creating a GCP Load balancer with SSL enabled (when I expose a k8s service the load balancer is created automatically without ssl support and I cannot seem to alter it's properties)

Any chance to get some help on this?

Vitalii

unread,
Dec 27, 2016, 10:46:44 PM12/27/16
to Kubernetes user discussion and Q&A, yaron...@apester.com
@yaron I face the same issue, did you find any solution?

I've tried to add https load balancer for my k8s cluster, but it doesn't see my instance group's health endpoint and just restarts the instances again and again.

Reply all
Reply to author
Forward
0 new messages