使用 GCP certificate manager 管理您的网站域名证书- Google Cloud

在本实验中，我们将创建一个 GKE 集群，在上面部署两个不同的服务：home 和 hello 服务，并通过 HTTPS 负载均衡器对外发布。在 URL Map 中，使用 home 和 hello 两个 hostname 路由映射到不同的后端 Backend Services。通过证书管理器 Certificate Manager，针对 home 和 hello 分别生成两个独立的证书，并绑定到 Target HTTPS Proxy 上，最终通过统一的一个 IP 地址对外发布。

1. 准备 GKE 集群和部署工作负载

创建 GKE 集群

gcloud beta container --project "flius-vpc-2" clusters create "ccm-test-cluster"

--zone "us-central1-c"

--num-nodes "1"

--enable-ip-alias

--node-locations "us-central1-c"

创建 Deployment

cat <<EOF | kubectl apply -f -

apiVersion: apps/v1

kind: Deployment

metadata:

spec:

selector:

matchLabels:

app: nginx

replicas: 3

template:

metadata:

labels:

app: nginx

spec:

containers:

- name: nginx

image: "nginx"

EOF

创建 Service

cat <<EOF | kubectl apply -f -

apiVersion: v1

kind: Service

metadata:

annotations:

cloud.google.com/neg: '{"exposed_ports": {"8080":{"name": "ccm-neg"}}}'

spec:

selector:

app: nginx

ports:

- protocol: TCP

port: 8080

targetPort: 80

EOF

2. 配置 HTTP/HTTPS Load Balancer

创建 HTTP Load Balancer

创建一个 Backend Service

创建一个 Health Check

验证 HTTP Load Balancer

首先查询 HTTP Load Balancer 的 Frontend IP

然后访问验证

curl -i 34.117.159.195

HTTP/1.1 200 OK

Server: nginx/1.21.6

Date: Wed, 23 Mar 2022 16:04:43 GMT

Content-Type: text/html

Content-Length: 615

Last-Modified: Tue, 25 Jan 2022 15:03:52 GMT

ETag: "61f01158-267"

Accept-Ranges: bytes

Via: 1.1 google

3. 创建和配置 Certificate Manager

首先创建 Certificate Manager DNS Authorizationss

gcloud beta certificate-manager dns-authorizations create ccm-dns-auth-home --domain=home.fliu-demo.xyz

Create request issued for: [ccm-dns-auth-home]

Waiting for operation [projects/flius-vpc-2/locations/global/operations/oper

ation-1648090640110-5daee012953a9-f3f2bb03-681093da] to complete...done.

Created dnsAuthorization [ccm-dns-auth-home].

NAME DOMAIN DNS_RECORD RECORD_TYPE DNS_VALUE

ccm-dns-auth-home home.fliu-demo.xyz _acme-challenge.home.fliu-demo.xyz. CNAME 76e5bda0-536c-405c-b432-03685a06c4da.8.authorize.certificatemanager.goog.

在你的 DNS 解析中添加 CNAME

使用 DNS Authorization 创建 Certificate

gcloud beta certificate-manager certificates create ccm-cert-home --domains=home.fliu-demo.xyz --dns-authorizations=ccm-dns-auth-home

Create request issued for: [ccm-cert-home]

Waiting for operation [projects/flius-vpc-2/locations/global/operations/oper

ation-1648090948861-5daee13907ccd-a516a290-9753629b] to complete...done.

Created certificate [ccm-cert-home].

Describe certificate 直到状态为“Active”

gcloud beta certificate-manager certificates describe ccm-cert-home

createTime: '2022-03-24T03:02:28.952867134Z'

expireTime: '2022-06-22T02:02:30Z'

managed:

authorizationAttemptInfo:

- domain: home.fliu-demo.xyz

state: AUTHORIZED

dnsAuthorizations:

- projects/647512629680/locations/global/dnsAuthorizations/ccm-dns-auth-home

domains:

- home.fliu-demo.xyz

state: ACTIVE

创建 Certificate Maps 和 Entries

gcloud beta certificate-manager maps create ccm-map-home

gcloud beta certificate-manager maps entries create ccm-entry-home --map=ccm-map-home --certificates=ccm-cert-home --hostname=home.fliu-demo.xyz

gcloud beta certificate-manager maps entries describe ccm-entry-home --map=ccm-map-home

certificates:

- projects/647512629680/locations/global/certificates/ccm-cert-home

createTime: '2022-03-24T03:18:21.272257190Z'

hostname: home.fliu-demo.xyz

name: projects/flius-vpc-2/locations/global/certificateMaps/ccm-map-home/certificateMapEntries/ccm-entry-home

state: PENDING

updateTime: '2022-03-24T03:18:21.571524549Z'

创建 Target HTTPS Proxies

gcloud compute url-maps list

NAME DEFAULT_SERVICE

ccm-loadbalancer backendServices/ccm-backend

gcloud compute url-maps describe ccm-loadbalancer

creationTimestamp: '2022-03-23T08:55:47.371-07:00'

defaultService: https://www.googleapis.com/compute/v1/projects/flius-vpc-2/global/backendServices/ccm-backend

fingerprint: LhXWP4tTU84=

id: '7150627926845095404'

kind: compute#urlMap

selfLink: https://www.googleapis.com/compute/v1/projects/flius-vpc-2/global/urlMaps/ccm-loadbalancer

gcloud beta compute target-https-proxies create ccm-https-proxy-home --url-map=https://www.googleapis.com/compute/v1/projects/flius-vpc-2/global/urlMaps/ccm-loadbalancer --certificate-map=projects/flius-vpc-2/locations/global/certificateMaps/ccm-map-home --global

Created [https://www.googleapis.com/compute/beta/projects/flius-vpc-2/global/targetHttpsProxies/ccm-https-proxy-home].

NAME SSL_CERTIFICATES URL_MAP CERTIFICATE_MAP

ccm-https-proxy-home ccm-loadbalancer ccm-map-home

创建 Forwarding Rule

gcloud compute forwarding-rules create ccm-fw-rule-home

--load-balancing-scheme=EXTERNAL

--network-tier=PREMIUM

--global

--target-https-proxy=ccm-https-proxy-home

--ports=443

Created [https://www.googleapis.com/compute/v1/projects/flius-vpc-2/global/forwardingRules/ccm-fw-rule-home].

域名解析给 HTTPS 增加一条 A 记录

验证

curl -i -v https://home.fliu-demo.xyz

* Trying 34.110.167.156:443...

* Connected to home.fliu-demo.xyz (34.110.167.156) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

* CAfile: /etc/ssl/cert.pem

* CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305

* ALPN, server accepted to use h2

* Server certificate:

* subject: CN=home.fliu-demo.xyz

* start date: Mar 24 02:02:31 2022 GMT

* expire date: Jun 22 02:02:30 2022 GMT

* subjectAltName: host "home.fliu-demo.xyz" matched cert's "home.fliu-demo.xyz"

* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4

* SSL certificate verify ok.

* Using HTTP2, server supports multi-use

* Connection state changed (HTTP/2 confirmed)

* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0

* Using Stream ID: 1 (easy handle 0x7fbb35810400)

> GET / HTTP/2

> Host: home.fliu-demo.xyz

> user-agent: curl/7.77.0

> accept: */*

< HTTP/2 200

HTTP/2 200

4. 添加子域名证书

我们假设线上需要部署一个新的业务应用，使用子域名 hello.fliu-demo.xyz 来发布

在 GKE 上部署应用 hello 作为后端服务

cat <<EOF | kubectl apply -f -

apiVersion: apps/v1

kind: Deployment

metadata:

spec:

selector:

matchLabels:

greeting: hello

version: one

replicas: 3

template:

metadata:

labels:

greeting: hello

version: one

spec:

containers:

- name: hello-app-1

image: "us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0"

env:

- name: "PORT"

value: "80"

EOF

cat <<EOF | kubectl apply -f -

apiVersion: v1

kind: Service

metadata:

annotations:

cloud.google.com/neg: '{"exposed_ports": {"8081":{"name": "ccm-neg-2"}}}'

spec:

selector:

greeting: hello

version: one

ports:

- protocol: TCP

port: 8081

targetPort: 80

EOF

创建 Backend

为 hello.fliu-demo.xyz 添加一个新的 Backend

配置 Certificate

1) 再为 hello.fliu-demo.xyz 创建一套 Certificate Manager 的 DNS Authorization，Certificate

gcloud beta certificate-manager dns-authorizations create ccm-dns-auth-hello --domain=hello.fliu-demo.xyz

Create request issued for: [ccm-dns-auth-hello]

Waiting for operation [projects/flius-vpc-2/locations/global/operations/oper

ation-1648092621357-5daee7740c2e6-13ba3d3d-20199a9d] to complete...done.

Created dnsAuthorization [ccm-dns-auth-hello].

NAME DOMAIN DNS_RECORD RECORD_TYPE DNS_VALUE

ccm-dns-auth-hello hello.fliu-demo.xyz _acme-challenge.hello.fliu-demo.xyz. CNAME 6c4c6984-8fe7-477e-95b2-df0b885cf1f1.1.authorize.certificatemanager.goog.

gcloud beta certificate-manager certificates create ccm-cert-hello --domains=hello.fliu-demo.xyz --dns-authorizations=ccm-dns-auth-hello

Create request issued for: [ccm-cert-hello]

Waiting for operation [projects/flius-vpc-2/locations/global/operations/oper

ation-1648092944942-5daee8a8a45ca-5d34cc5b-ae7d6a46] to complete...done.

Created certificate [ccm-cert-hello].

gcloud beta certificate-manager certificates describe ccm-cert-hello

createTime: '2022-03-24T03:35:45.013680391Z'

expireTime: '2022-06-22T02:35:46Z'

managed:

authorizationAttemptInfo:

- domain: hello.fliu-demo.xyz

state: AUTHORIZED

dnsAuthorizations:

- projects/647512629680/locations/global/dnsAuthorizations/ccm-dns-auth-hello

domains:

- hello.fliu-demo.xyz

state: ACTIVE

2) 我们仍然继续使用前面创建的 Certificate Map，只是添加一个新的 Entry

gcloud beta certificate-manager maps entries create ccm-entry-hello --map=ccm-map-home --certificates=ccm-cert-hello --hostname=hello.fliu-demo.xyz

gcloud beta certificate-manager maps entries list --map=ccm-map-home

NAME DESCRIPTION HOSTNAME MATCHER CERTIFICATES STATE CREATE_TIME

ccm-entry-hello hello.fliu-demo.xyz ccm-cert-hello ACTIVE 2022-03-24 06:22:47 +00:00

ccm-entry-home home.fliu-demo.xyz ccm-cert-home ACTIVE 2022-03-24 03:18:21 +00:00

接下来，我们通过一个静态 ip 地址来设置多个域名的 forwarding-rule 和 target-https-proxy。

注：在此之前，你可以先删除之前创建的 forwarding-rule，target-http-proxy，target-https-proxy。

3) 创建一个静态 IP

gcloud compute addresses create fliu-demo --global

gcloud compute addresses describe fliu-demo --global

address: 34.96.64.79

4) 创建 target-https-proxies 和 forwarding rule

gcloud beta compute target-https-proxies create ccm-https-proxy --url-map=https://www.googleapis.com/compute/v1/projects/flius-vpc-2/global/urlMaps/ccm-loadbalancer --certificate-map=projects/flius-vpc-2/locations/global/certificateMaps/ccm-map-home --global

Created [https://www.googleapis.com/compute/beta/projects/flius-vpc-2/global/targetHttpsProxies/ccm-https-proxy].

NAME SSL_CERTIFICATES URL_MAP CERTIFICATE_MAP

ccm-https-proxy ccm-loadbalancer ccm-map-home

gcloud compute forwarding-rules create ccm-fw-rule

--load-balancing-scheme=EXTERNAL

--network-tier=PREMIUM

--address=fliu-demo

--global

--target-https-proxy=ccm-https-proxy

--ports=443

Created [https://www.googleapis.com/compute/v1/projects/flius-vpc-2/global/forwardingRules/ccm-fw-rule].

gcloud compute forwarding-rules describe ccm-fw-rule --global

IPAddress: 34.96.64.79

5) 为 hello.fliu-demo.xyz 添加 DNS 一条 A 记录

并把之前的 home.fliu-demo.xyz 的 A 记录的值也改成静态 IP 地址“34.96.64.79”

验证访问子域名

curl -i -v https://hello.fliu-demo.xyz

* Trying 34.111.159.71:443...

* Connected to hello.fliu-demo.xyz (34.111.159.71) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

* CAfile: /etc/ssl/cert.pem

* CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305

* ALPN, server accepted to use h2

* Server certificate:

* subject: CN=hello.fliu-demo.xyz

* start date: Mar 24 02:35:47 2022 GMT

* expire date: Jun 22 02:35:46 2022 GMT

* subjectAltName: host "hello.fliu-demo.xyz" matched cert's "hello.fliu-demo.xyz"

* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4

* SSL certificate verify ok.

* Using HTTP2, server supports multi-use

* Connection state changed (HTTP/2 confirmed)

* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0

* Using Stream ID: 1 (easy handle 0x7f8c4500f000)

> GET / HTTP/2

> Host: hello.fliu-demo.xyz

> user-agent: curl/7.77.0

> accept: */*

< HTTP/2 200

HTTP/2 200

使用 GCP certificate manager 管理您的网站域名证书

文章信息

相关推荐