GKE Ingress and CDN

sdarwin · November 14, 2023, 11:21pm

Hi,

We are using GKE Autopilot to run a cluster, a hosted Python Django app, using Ingress, Deployments, ManagedCertificates.

We would like to place a 3rd-party CDN in front of this.

A problem comes to mind, about how Google managed certs will work in that environment.

https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs

“”"
Important: It’s best to ensure that your domains are pointed directly at your load balancer’s IP address. For load balancers that have Cloud CDN enabled, some third-party CDN providers might prevent validation requests from succeeding. This can happen if the CDN provider is actively proxying HTTP(S) traffic.
“”"

You can imagine a list of popular CDN vendors, and with ordinary usage of those CDNs, they will be actively proxying HTTP(S) traffic.

Will that prevent renewal of Google managed certs? The warning is not absolute. It seems to recommend “pointed directly at your load balancer’s IP address”, but that excludes the usage of a CDN. are there any more details available…?

Thinking further ahead, what other options are recommended?

Thanks,
Sam

garisingh · November 15, 2023, 9:59am

Hi Sam -

Are you open to using the Gateway API rather than Ingress? As an FYI, the Gateway API is the strategic direction for load balancing with GKE, although of course Ingress will continue to be supported.

The reason I’m suggesting Gateway API is because it works with Google Certificate Manager, which supports domain authorization in addition to load balancer authorization. With domain authorization, it no longer matters if your A / AAAA record points to the load balancer IP. It is the recommended path for working with 3rd-party CDNs or other frontend proxies.

sdarwin · November 15, 2023, 11:23am

Yes I see that Gateway API is the next generation Ingress. That appears to be the solution. When exploring this puzzle I had been trying to avoid rewriting all the logic surrounding Certs and Ingress.

I saw your answer on stackoverflow also: “note that Certificate Manager only integrates with the Gateway API and not with Ingress.”
The new Gateway and HTTPRoute resources look similar to Ingress.
Thanks for the help.

Topic		Replies	Views
Using DNS authenticated SSL certificates with GKE ingress Serverless Applications gke	3	119	May 3, 2024
How to use Cloud CDN in front of kubernetes gateway? Serverless Applications gke	11	255	November 29, 2024
How do you use GKE managed certificates with K8s Gateway Resource Serverless Applications gke	10	633	January 25, 2025

GKE Ingress and CDN

AI Suggested topics