This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GKE Ingress and CDN

Posted on 11-14-2023 03:21 PM
sdarwin
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

Hi, 

We are using GKE Autopilot to run a cluster, a hosted Python Django app, using Ingress, Deployments, ManagedCertificates.

We would like to place a 3rd-party CDN in front of this.

A problem comes to mind, about how Google managed certs will work in that environment.

https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs

"""
Important: It's best to ensure that your domains are pointed directly at your load balancer's IP address. For load balancers that have Cloud CDN enabled, some third-party CDN providers might prevent validation requests from succeeding. This can happen if the CDN provider is actively proxying HTTP(S) traffic.
"""

You can imagine a list of popular CDN vendors, and with ordinary usage of those CDNs, they will be actively proxying HTTP(S) traffic. 

Will that prevent renewal of Google managed certs? The warning is not absolute. It seems to recommend "pointed directly at your load balancer's IP address", but that excludes the usage of a CDN.       are there any more details available...?    

Thinking further ahead, what other options are recommended?

Thanks,
Sam

Solved Solved
0 2 937
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Hi Sam -

Are you open to using the Gateway API rather than Ingress?  As an FYI, the Gateway API is the strategic direction for load balancing with GKE, although of course Ingress will continue to be supported.

The reason I'm suggesting Gateway API is because it works with Google Certificate Manager, which supports domain authorization in addition to load balancer authorization.  With domain authorization, it no longer matters if your A / AAAA record points to the load balancer IP.  It is the recommended path for working with 3rd-party CDNs or other frontend proxies.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Hi Sam -

Are you open to using the Gateway API rather than Ingress?  As an FYI, the Gateway API is the strategic direction for load balancing with GKE, although of course Ingress will continue to be supported.

The reason I'm suggesting Gateway API is because it works with Google Certificate Manager, which supports domain authorization in addition to load balancer authorization.  With domain authorization, it no longer matters if your A / AAAA record points to the load balancer IP.  It is the recommended path for working with 3rd-party CDNs or other frontend proxies.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sdarwin
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Yes I see that Gateway API is the next generation Ingress. That appears to be the solution. When exploring this puzzle I had been trying to avoid rewriting all the logic surrounding Certs and Ingress. 

I saw your answer on stackoverflow also: "note that Certificate Manager only integrates with the Gateway API and not with Ingress."   
The new Gateway and HTTPRoute resources look similar to Ingress.
Thanks for the help.

Jump to Solution
0 Likes
Top Labels in this Space