[GSP269] Deploy a Web App on GKE with HTTPS Redirect using Lets Encrypt



$ wget https://storage.googleapis.com/vwebb-codelabs/gke-tls-qwik/gke-tls-lab.tar.gz

$ tar zxfv gke-tls-lab.tar.gz

$ cd gke-tls-lab

Configure Cloud Endpoints

$ gcloud compute addresses create endpoints-ip --region us-central1

$ gcloud compute addresses list

$ export PROJECT_ID=$(gcloud config get-value project)
$ export ENDPOINTS_IP=

$ sed -i "s/\[MY-PROJECT\]/$PROJECT_ID/g" ./openapi.yaml
$ sed -i "s/\[MY-STATIC-IP\]/$ENDPOINTS_IP/g" ./openapi.yaml

// Deploy to Cloud Endpoints:
$ gcloud endpoints services deploy openapi.yaml

Create a Kubernetes Engine Cluster

$ gcloud container clusters create cl-cluster --zone us-central1-f
$ gcloud container clusters get-credentials cl-cluster --zone us-central1-f

Set up Role-Based Access Control

To be able to deploy to the cluster, you need the proper permissions.

$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user $(gcloud config get-value account)

Install Helm

$ curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get > get_helm.sh

$ chmod 700 get_helm.sh

$ ./get_helm.sh

$ kubectl create serviceaccount -n kube-system tiller

$ kubectl create clusterrolebinding tiller-binding \
    --clusterrole=cluster-admin \
    --serviceaccount kube-system:tiller

$ helm init --service-account tiller

$ helm repo update

Install NGINX Ingress

You will deploy an NGINX ingress using Helm to handle our HTTP to HTTPS redirect when configure our web app for HTTPS to ensure the user always has a secure connection to our app.

$ helm install stable/nginx-ingress --set controller.service.loadBalancerIP=${ENDPOINTS_IP},rbac.create=true

Deploy “Hello World” App

$ sed -i "s/\[MY-PROJECT\]/$PROJECT_ID/g" ./configmap.yaml 
$ sed -i "s/\[MY-PROJECT\]/$PROJECT_ID/g" ./ingress.yaml

Deploy web app to cluster

$ kubectl apply -f configmap.yaml
$ kubectl apply -f deployment.yaml
$ kubectl apply -f service.yaml
$ kubectl apply -f ingress.yaml

$ echo http://api.endpoints.${PROJECT_ID}.cloud.goog


$ helm install --name cert-manager --version v0.3.2 --namespace kube-system stable/cert-manager

$ export [email protected]

$ cat letsencrypt-issuer.yaml | sed -e "s/email: ''/email: $EMAIL/g" | kubectl apply -f-

Reconfigure ingress for HTTPS

$ sed -i "s/\[MY-PROJECT\]/$PROJECT_ID/g" ./ingress-tls.yaml

$ kubectl apply -f ingress-tls.yaml

$ kubectl describe ingress esp-ingress

$ echo http://api.endpoints.${PROJECT_ID}.cloud.goog

Note: It might take 5-10 minutes for the ingress to be properly provisioned.