前幾天有提到 cert manager 的限制,今天來講實作,在官方的文件中有提到
To deploy a certificate to a regional external Application Load Balancer or to a regional internal Application Load Balancer, attach the certificate directly to the target proxy.
To deploy a certificate to a global external Application Load Balancer, create a certificate map and attach the map to the target proxy.
因為我們是使用 global Loadbalancer ,所以要用 certificate map。而在找到這份文件之前,有嘗試用直接的 certificate 來踩雷。我們快速地從 CLI 來看,假設你要用 certificate manager certificate update ,要注意參數要用對,他有分 --certificate-manager-certificates 跟 --ssl-certificates。然後如果選擇正確,他會告訴你不支援,正如文件所說。
gcloud compute target-https-proxies update portal-uat-global-lb-http-https-proxy --ssl-certificates xxx-global-ssl-cert
ERROR: (gcloud.compute.target-https-proxies.update) Could not fetch resource:
- The resource 'projects/xxxx/global/sslCertificates/xxx-global-ssl-cert' was not found
gcloud compute target-https-proxies update portal-uat-global-lb-http-https-proxy --certificate-manager-certificates xxx-global-ssl-cert
ERROR: (gcloud.compute.target-https-proxies.update) Could not fetch resource:
- Invalid value for field 'resource.sslCertificates[0]': 'https://certificatemanager.googleapis.com/v1/projects/xxx/locations/global/certificates/xxx-global-ssl-cert'. Cloud certificate reference is not supported for TargetHttpsProxy patch.
以下是建立 map 的方式
gcloud certificate-manager maps create uat-test-map
gcloud certificate-manager maps entries create uat-test-entry --map=uat-test-map --certificates=xxx-global-ssl-cert --set-primary
gcloud compute target-https-proxies update portal-uat-global-lb-http-https-proxy --certificate-map=uat-test-map
測試完成後,接下來是 IaC 使用 Terraform 的方式。這邊要注意我們雖然使用 map,但還是要留下 ssl_certificates,因為 GCP 規定要有一個 default 的值。而且這個 default 的值還只能用 classic certificate 的方式。
resource "google_certificate_manager_certificate_map" "default" {
name = "cert-map"
description = "My acceptance test certificate map"
}
module "lb-http" {
source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
version = "~> 11.0"
project = module.shared_vars.project_id
name = local.resource_names.lb_http
load_balancing_scheme = "EXTERNAL_MANAGED"
ssl = true
managed_ssl_certificate_domains = []
https_redirect = false
create_ssl_certificate = false
ssl_certificates = ["https://www.googleapis.com/compute/v1/projects/shopeetwbi/global/sslCertificates/xxx-ssl-cert"]
certificate_map = google_certificate_manager_certificate_map.certificate_map.id
如果你移除 ssl_certificates,就會看到以下 error
module.lb-http.google_compute_target_https_proxy.default[0]: Modifying... [id=projects/xxx/global/targetHttpsProxies/portal-uat-global-lb-http-https-proxy]
╷
│ Error: Error updating TargetHttpsProxy "projects/xxx/global/targetHttpsProxies/portal-uat-global-lb-http-https-proxy": googleapi: Error 412: Certificate Map or at least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., conditionNotMet
│
│ with module.lb-http.google_compute_target_https_proxy.default[0],
│ on .terraform/modules/lb-http/modules/serverless_negs/main.tf line 113, in resource "google_compute_target_https_proxy" "default":
│ 113: resource "google_compute_target_https_proxy" "default" {
如果成功建立,那你就會在介面就會看到很弔詭的畫面。