{"id":430,"date":"2021-03-06T09:57:32","date_gmt":"2021-03-06T09:57:32","guid":{"rendered":"https:\/\/rejupillai.com\/?p=430"},"modified":"2026-04-13T00:08:36","modified_gmt":"2026-04-13T00:08:36","slug":"configure-tls-on-gke-ingress-for-free-with-lets-encrypt","status":"publish","type":"post","link":"https:\/\/rejupillai.com\/index.php\/2021\/03\/06\/configure-tls-on-gke-ingress-for-free-with-lets-encrypt\/","title":{"rendered":"Let&#8217;s Encrypt the Web (for free)"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"223\" height=\"33\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image.png\" alt=\"\" class=\"wp-image-434\"\/><\/figure>\n\n\n\n<p>Can you remember last time you browsed a website that said  &#8220;Not Secure&#8221; on the URL address bar ?  If you are a smart internet user, my guess is that it must have been a long time ago. Though you mayn&#8217;t exchange any information, sensitive or otherwise, and regardless of the website being transactional or informational, it just doesn&#8217;t give the comfort and trust to visit and further browse the site. <\/p>\n\n\n\n<p>This blog post will focus on securing HTTP connections for a workload running on GKE using Cert-Manager and Lets-encrypt service as the free SSL provider. <\/p>\n\n\n\n<p>And don&#8217;t worry, the site you are reading this blog on, is secured \ud83d\ude42<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why https ?<\/h2>\n\n\n\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\">TLS<\/a> encrypts your data exchanged b\/w browser and server over the public internet, a.k.a &#8220;the web&#8221;, which can be a very insecure place, prone to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\">man-in-the-middle<\/a> attacks. But without possession of the private key  used to encrypt the data, it is almost impossible to make any sense even if you get hold of that gibberish data. TLS Certificates are the most commonly used <a href=\"https:\/\/en.wikipedia.org\/wiki\/Public_key_certificate\">PKI<\/a> on the web and it&#8217;s very hard to break when the bit-size of the encryption algorithm is large, see an old tweet, why ?<\/p>\n\n\n\n<figure class=\"wp-block-embed-twitter wp-block-embed is-type-rich is-provider-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Prime factorization challenge. <br><br>Wonder why we put OpenSSL <a href=\"https:\/\/twitter.com\/hashtag\/RSA?src=hash&amp;ref_src=twsrc%5Etfw\">#RSA<\/a> encryption with bitsize of 1024 or 2048 ? <br><br>The highest factors anyone has deduced till date is 829 bits. <br><br>A 64bit key can be found in less than a sec, and a 1024 would require 30 years or more for a normal computer <a href=\"https:\/\/t.co\/INN43JXyJS\">pic.twitter.com\/INN43JXyJS<\/a><\/p>&mdash; Reju Pillai (@reju_pillai) <a href=\"https:\/\/twitter.com\/reju_pillai\/status\/1279803391313494016?ref_src=twsrc%5Etfw\">July 5, 2020<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>So you can safely assume that no one else is able to see your data or conversation.<\/p>\n\n\n\n<p>The other main reasons for using https, <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Improved SEO ranking for your website<\/li><li>Https Referrers : If you refer to an http link from an https website, it is most likely gonna be blocked with Mixed-Content warning. So people will not add your links to their website.<\/li><li>Mobile browser compatibility, the latest iOS and Android demand that all connections must be on TLS. See <a href=\"https:\/\/beta.techcrunch.com\/tag\/wwdc2016\/\">Apple&#8217;s announcement<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Let&#8217;s begin and let&#8217;s encrypt<\/h2>\n\n\n\n<p>We want to implement this architecture<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"635\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-11-1024x635.png\" alt=\"\" class=\"wp-image-458\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-11-1024x635.png 1024w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-11-300x186.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-11-768x476.png 768w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-11-1170x725.png 1170w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-11.png 1516w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/cloud.google.com\/kubernetes-engine\">GKE Cluster<\/a><\/li><li><a href=\"https:\/\/cert-manager.io\/docs\/configuration\/acme\/dns01\/\">Cert-Manager<\/a><\/li><li><a href=\"https:\/\/letsencrypt.org\/how-it-works\/\">ACME Let\u2019s Encrypt<\/a> , Free TLS Cert Service Provider<\/li><li>My favorite <a href=\"https:\/\/github.com\/mreferre\/yelb\/blob\/master\/deployments\/platformdeployment\/Kubernetes\/yaml\/yelb-k8s-ingress-alb.yaml\">Yelb<\/a> restaurant voting app from <em>mreferre<\/em> (you can use any web-app, it just needs to have an Ingress )<\/li><li><a href=\"https:\/\/cloud.google.com\/dns\">CloudDNS<\/a><\/li><li><a href=\"https:\/\/cloud.google.com\/domains\/docs\/overview\">Google Domains<\/a><\/li><li><a href=\"https:\/\/cloud.google.com\/load-balancing\/docs\/https\">Google Cloud LoadBalancer<\/a> (Implemented internally by Kubernetes Ingress)<\/li><li><a href=\"https:\/\/cloud.google.com\/compute\/docs\/ip-addresses\/reserve-static-external-ip-address\">External Static IP<\/a><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Step 1 : Reserve a Public IP in Google Cloud<\/h4>\n\n\n\n<p>A static IP is required to be passed on to Ingress configuration, otherwise every time you create a new Ingress resource, a Load Balancer with random public IP will be created. This is tedious because one needs to reconfigure the DNS every time.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>gcloud compute addresses create yelb-ext-ip --global --ip-version IPV4\ngcloud compute address list<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"80\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-1-1024x80.png\" alt=\"\" class=\"wp-image-440\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-1-1024x80.png 1024w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-1-300x23.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-1-768x60.png 768w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-1-1170x91.png 1170w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-1.png 1802w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step 2 : Secure a Domain for your App using Google Domains<\/h4>\n\n\n\n<p>While you can use any Domain Registrar service like Go-Daddy, NameCheap etc, I would recommend you use <a href=\"https:\/\/cloud.google.com\/domains\/docs\/overview\">Google Domains<\/a>. It is awesome and very simple. The charges are also very nominal. For my new domain <strong>gcp-demos.net<\/strong> it charges 1$ per month. <\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"906\" height=\"571\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-3.png\" alt=\"\" class=\"wp-image-442\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-3.png 906w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-3-300x189.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-3-768x484.png 768w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-3-350x220.png 350w\" sizes=\"auto, (max-width: 906px) 100vw, 906px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step 4 : Register your Domain with Google Cloud DNS <\/h4>\n\n\n\n<p>Also recommend to use Google <a href=\"https:\/\/cloud.google.com\/dns\">Cloud DNS <\/a>for the DNS server.<\/p>\n\n\n\n<p>Create A record with the Static IP you reserved earlier and register the base domain. Also create few CNAMEs like <strong>blog.gcp-demos.net<\/strong>, so we can also test validity of  the TLS certificate for wildcard (*) entries too. <\/p>\n\n\n\n<p>Note &#8211; <em>make sure the NameServers of Google Domains is same as that of Google Cloud DNS<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"561\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-4-1024x561.png\" alt=\"\" class=\"wp-image-443\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-4-1024x561.png 1024w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-4-300x164.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-4-768x421.png 768w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-4-1170x641.png 1170w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step 5 : Deploy Cert-Manager<\/h4>\n\n\n\n<p><a href=\"https:\/\/cert-manager.io\/docs\/configuration\/acme\/dns01\/\">Cert-Manager<\/a> is the main infrastructure to create and manage TLS certificates in kubernetes. You can deploy it using multiple methods including a helm package from Jeststack <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ helm repo update\n$ helm install --version &lt;version> &lt;release_name> jetstack\/cert-manager<\/code><\/pre>\n\n\n\n<p>For this blog, I have used the below kubectl manifest to deploy cert-manager.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl apply -f https:\/\/github.com\/jetstack\/cert-manager\/releases\/download\/v1.2.0\/cert-manager.yaml<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>k get pods -n cert-manager<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"761\" height=\"109\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-5.png\" alt=\"\" class=\"wp-image-445\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-5.png 761w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-5-300x43.png 300w\" sizes=\"auto, (max-width: 761px) 100vw, 761px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step 6.1 : Configure Service Account to interact with Cloud DNS<\/h4>\n\n\n\n<p>Code borrowed from : <\/p>\n\n\n\n<p><a href=\"https:\/\/knative.dev\/docs\/serving\/using-cert-manager-on-gcp\/\">https:\/\/knative.dev\/docs\/serving\/using-cert-manager-on-gcp\/<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#Set this to your GCP project ID\nexport PROJECT_ID=&lt;Your Project>\n\n# Name of the service account you want to create.\nexport CLOUD_DNS_SA=cert-manager-cloud-dns-admin\ngcloud --project $PROJECT_ID iam service-accounts \\\n  create $CLOUD_DNS_SA \\\n  --display-name \"Service Account to support ACME DNS-01 challenge.\"\n\n# Fully-qualified service account name also has project-id information.\nexport CLOUD_DNS_SA=$CLOUD_DNS_SA@$PROJECT_ID.iam.gserviceaccount.com\n\n# Bind the role dns.admin to this service account, so it can be used to support\n# the ACME DNS01 challenge.\ngcloud projects add-iam-policy-binding $PROJECT_ID \\\n  --member serviceAccount:$CLOUD_DNS_SA \\\n  --role roles\/dns.admin\n\n# Make a temporary directory to store key\nKEY_DIRECTORY=`mktemp -d`\n\n# Download the secret key file for your service account.\ngcloud iam service-accounts keys create $KEY_DIRECTORY\/cloud-dns-key.json \\\n  --iam-account=$CLOUD_DNS_SA\n\n  # Upload that as a secret in your Kubernetes cluster.\nkubectl create secret --namespace cert-manager generic cloud-dns-key \\\n  --from-file=key.json=$KEY_DIRECTORY\/cloud-dns-key.json\n\n# Delete the local secret\nrm -rf $KEY_DIRECTORY<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Step 6.2 : Deploy a ClusterIssuer<\/h4>\n\n\n\n<p>Note that SSL Provider here is the Acme service, so please check that cert-manager Pods have egress access to reach  https:\/\/acme-v02.api.letsencrypt.org\/directory<\/p>\n\n\n\n<p>If you want to restrict the ClusterIssuer to a namespace, then use Issuer instead.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step 6.3 : Chose a DNS solver<\/h4>\n\n\n\n<p>There are 2 types of solvers  HTTP and DNS based.  The benefit of using DSN resolver is that it accepts multiple FQDN for the Common Name, it also accepts Wild-Card entries to create certificates.<\/p>\n\n\n\n<p>You will notice that Cert-Manager <a href=\"https:\/\/cert-manager.io\/docs\/configuration\/acme\/dns01\/\">DNS SOLVER <\/a>has implementations for many Clouds, but we are interested in Google Cloud DNS, hence you will see dns01 is implemented using <strong>clouddns<\/strong> <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\nkubectl apply --filename - &lt;&lt;EOF\napiVersion: cert-manager.io\/v1alpha2\nkind: ClusterIssuer\nmetadata:\n  name: letsencrypt-issuer\nspec:\n  acme:\n    server: https:\/\/acme-v02.api.letsencrypt.org\/directory\n    # This will register an issuer with LetsEncrypt.  Replace\n    # with your admin email address.\n    email: &lt;Your Email>\n    privateKeySecretRef:\n      # Set privateKeySecretRef to any unused secret name.\n      name: letsencrypt-issuer\n    solvers:\n    - dns01:\n        clouddns:\n          # Set this to your GCP project-id\n          project: $PROJECT_ID\n          # Set this to the secret that we publish our service account key\n          # in the previous step.\n          serviceAccountSecretRef:\n            name: cloud-dns-key\n            key: key.json\nEOF<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>gcloud beta container --project \"reju-gcct-demos\" clusters create \"cluster-1\" --zone \"us-central1-c\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Step 6.4 : Issue Wild Card Certificate<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code># Change this value to the domain you want to use.\nexport DOMAIN=&lt;Your Domain> #gcp-demos.net\nkubectl apply --filename - &lt;&lt;EOF\napiVersion: cert-manager.io\/v1alpha2\nkind: Certificate\nmetadata:\n  name: yelb-tls-cert\nspec:\n  secretName: yelb-tls-secret\n  issuerRef:\n    name: letsencrypt-issuer\n    kind: ClusterIssuer\n  dnsNames:\n  - \"*.$DOMAIN\"\nEOF<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Step 7 : Connect &amp; deploy your favorite K8s App <\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>gcloud container clusters get-credentials cluster-1 --zone us-central1-c --project reju-gcct-demos<\/code><\/pre>\n\n\n\n<p>It can literally be any hello-world app, but I&#8217;ve used Yelb code (one of my favourites) and modified the Ingress and Services section to suite my need.<\/p>\n\n\n\n<p>Original at,<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/mreferre\/yelb\">https:\/\/github.com\/mreferre\/yelb<\/a> ; thanks Massimo Re Ferr\u00e8<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubectl apply --filename - &lt;&lt;EOF\n\n#apiVersion: extensions\/v1beta1\napiVersion: networking.k8s.io\/v1beta1\n\nkind: Ingress\nmetadata:\n  name: \"yelb-ui\"\n  annotations:\n          kubernetes.io\/ingress.global-static-ip-name: \"yelb-ext-ip\"\n          kubernetes.io\/ingress.class: \"gce\"\n          cert-manager.io\/cluster-issuer: letsencrypt-issuer\n  labels:\n    app: \"yelb-ui\"\nspec:\n  rules:\n    - host: blog.gcp-demos.net\n      http:\n        paths:\n          - path: \/\n            backend:\n              serviceName: \"yelb-ui-http\"\n              servicePort: 80\n            backend:\n              serviceName: \"yelb-ui-https\"\n              servicePort: 443\n  tls: # &lt; placing a host in the TLS config will indicate a certificate should be created\n  - hosts:\n    - blog.gcp-demos.net\n    secretName: yelb-tls-secret\n---<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Step 7.1 : Ingress Configurations<\/h4>\n\n\n\n<p>The main configurations is the Ingress section of the Kube App manifest.<\/p>\n\n\n\n<p><strong>Annotations<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kubernetes.io\/ingress.global-static-ip-name: \"yelb-ext-ip\"\nkubernetes.io\/ingress.class: \"gce\"\ncert-manager.io\/cluster-issuer: letsencrypt-issuer<\/code><\/pre>\n\n\n\n<p><em>yelb-ext-ip <\/em>is the external public ip that we reserved earlier for the load-balancer<\/p>\n\n\n\n<p><em>gce class<\/em><strong> <\/strong>directs the Google Cloud LoadBalancer to provision the Https L7 LB<\/p>\n\n\n\n<p><em>letsencrypt-issuer <\/em>Is the ClusterIssuer created earlier, which has the necessary code to build the Certificate and Secret. Eventually it is this certificate which will be installed on the Ingress Loadbalncer by the the Cert-manager API.<\/p>\n\n\n\n<p><strong>Hosts &amp; SecretName<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  - hosts:\n    - blog.gcp-demos.net\n    secretName: yelb-tls-secret<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Backend Services<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    backend:\n       serviceName: \"yelb-ui-https\"\n       servicePort: 443<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Step 8.1 : Review Output of the applying the yaml spec<\/h4>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"400\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-6-1024x400.png\" alt=\"\" class=\"wp-image-447\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-6-1024x400.png 1024w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-6-300x117.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-6-768x300.png 768w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-6-1170x457.png 1170w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step 8.2 : Also Review the objects with certificates getting created on the GCLB.<\/h4>\n\n\n\n<p>As you can see the API (annotation from the Ingress specs) creates an http (80) https (443) loadbalancer, and configures the certificate to the latter one.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"738\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-12-1024x738.png\" alt=\"\" class=\"wp-image-464\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-12-1024x738.png 1024w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-12-300x216.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-12-768x553.png 768w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-12-1170x843.png 1170w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-12.png 1876w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"721\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-8-1024x721.png\" alt=\"\" class=\"wp-image-449\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-8-1024x721.png 1024w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-8-300x211.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-8-768x540.png 768w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-8.png 1060w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Step 9: Finally review the Web-Application  <\/h4>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-10.png\" alt=\"\" class=\"wp-image-451\" width=\"439\" height=\"149\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-10.png 852w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-10-300x102.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-10-768x261.png 768w\" sizes=\"auto, (max-width: 439px) 100vw, 439px\" \/><figcaption>https lock<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-9.png\" alt=\"\" class=\"wp-image-450\" width=\"443\" height=\"353\" srcset=\"https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-9.png 926w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-9-300x239.png 300w, https:\/\/rejupillai.com\/wp-content\/uploads\/2021\/03\/image-9-768x612.png 768w\" sizes=\"auto, (max-width: 443px) 100vw, 443px\" \/><figcaption>Certificate<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusions<\/h2>\n\n\n\n<p>Let&#8217;s Encrypt is a free service backed by many large organizations and is on a mission to encrypt the Web. With more &amp; more Cloud native workloads running on K8s, it is important to understand the mechanics behind not just creating, but managing certificates, and cert-manager is an excellent solution for this.<\/p>\n\n\n\n<p>In this blog, we saw how to create and register a domain and use it to deploy a web-application and finally configure a TLS certificate to the https Load Balancer created by the Ingress controller.<\/p>\n\n\n\n<p>Thanks for reading ! <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Can you remember last time you browsed a website that said &#8220;Not Secure&#8221; on the URL address bar ? If you are a smart internet user, my guess is that it must have been a long time ago. Though you mayn&#8217;t exchange any information, sensitive or otherwise, and regardless of<\/p>\n","protected":false},"author":1,"featured_media":431,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[9,18,15,17,8,19,20,13,7,16,11,10],"class_list":["post-430","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-google-cloud","tag-cert-manager","tag-certificates","tag-clouddns","tag-encryption","tag-gke","tag-google","tag-googlecloud","tag-kubernetes","tag-letsencrypt","tag-security","tag-ssl","tag-tls","ct-col-2"],"_links":{"self":[{"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/posts\/430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/comments?post=430"}],"version-history":[{"count":22,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/posts\/430\/revisions"}],"predecessor-version":[{"id":467,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/posts\/430\/revisions\/467"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/media\/431"}],"wp:attachment":[{"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/media?parent=430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/categories?post=430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/tags?post=430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}