iT邦幫忙

2024 iThome 鐵人賽

DAY 16
0

前幾天有提到 cert manager 的限制,今天來講實作,在官方的文件中有提到

  • To deploy a certificate to a regional external Application Load Balancer or to a regional internal Application Load Balancer, attach the certificate directly to the target proxy.

  • To deploy a certificate to a global external Application Load Balancer, create a certificate map and attach the map to the target proxy.

因為我們是使用 global Loadbalancer ,所以要用 certificate map。而在找到這份文件之前,有嘗試用直接的 certificate 來踩雷。我們快速地從 CLI 來看,假設你要用 certificate manager certificate update ,要注意參數要用對,他有分 --certificate-manager-certificates 跟 --ssl-certificates。然後如果選擇正確,他會告訴你不支援,正如文件所說。

gcloud compute target-https-proxies update portal-uat-global-lb-http-https-proxy --ssl-certificates xxx-global-ssl-cert
ERROR: (gcloud.compute.target-https-proxies.update) Could not fetch resource:
 - The resource 'projects/xxxx/global/sslCertificates/xxx-global-ssl-cert' was not found

gcloud compute target-https-proxies update portal-uat-global-lb-http-https-proxy --certificate-manager-certificates xxx-global-ssl-cert
ERROR: (gcloud.compute.target-https-proxies.update) Could not fetch resource:
 - Invalid value for field 'resource.sslCertificates[0]': 'https://certificatemanager.googleapis.com/v1/projects/xxx/locations/global/certificates/xxx-global-ssl-cert'. Cloud certificate reference is not supported for TargetHttpsProxy patch.

以下是建立 map 的方式

gcloud certificate-manager maps create uat-test-map

gcloud certificate-manager maps entries create uat-test-entry --map=uat-test-map --certificates=xxx-global-ssl-cert --set-primary

gcloud compute target-https-proxies update portal-uat-global-lb-http-https-proxy --certificate-map=uat-test-map

測試完成後,接下來是 IaC 使用 Terraform 的方式。這邊要注意我們雖然使用 map,但還是要留下 ssl_certificates,因為 GCP 規定要有一個 default 的值。而且這個 default 的值還只能用 classic certificate 的方式。

resource "google_certificate_manager_certificate_map" "default" {
  name        = "cert-map"
  description = "My acceptance test certificate map"
}

module "lb-http" {

  source  = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
  version = "~> 11.0"
  project = module.shared_vars.project_id

  name = local.resource_names.lb_http

  load_balancing_scheme = "EXTERNAL_MANAGED"

  ssl                             = true
  managed_ssl_certificate_domains = []
  https_redirect                  = false
  create_ssl_certificate          = false
  ssl_certificates                = ["https://www.googleapis.com/compute/v1/projects/shopeetwbi/global/sslCertificates/xxx-ssl-cert"]
  certificate_map                 = google_certificate_manager_certificate_map.certificate_map.id

如果你移除 ssl_certificates,就會看到以下 error

module.lb-http.google_compute_target_https_proxy.default[0]: Modifying... [id=projects/xxx/global/targetHttpsProxies/portal-uat-global-lb-http-https-proxy]
╷
│ Error: Error updating TargetHttpsProxy "projects/xxx/global/targetHttpsProxies/portal-uat-global-lb-http-https-proxy": googleapi: Error 412: Certificate Map or at least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., conditionNotMet
│ 
│   with module.lb-http.google_compute_target_https_proxy.default[0],
│   on .terraform/modules/lb-http/modules/serverless_negs/main.tf line 113, in resource "google_compute_target_https_proxy" "default":
│  113: resource "google_compute_target_https_proxy" "default" {

如果成功建立,那你就會在介面就會看到很弔詭的畫面。

https://ithelp.ithome.com.tw/upload/images/20240930/20118525ZL7MgoDSkk.png


上一篇
Certificate map
下一篇
MLOps
系列文
從 AWS 轉生到 GCP 世界,還順便轉職成 DevOps 的 SRE30
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言