stackoom
  简体   繁体   中英

Why google-managed SSL certificate requires domain DNS to point to a static IP address instead of the load balancer itself?

 原文  2020-05-03 08:25:16       ssl/ dns/ google-kubernetes-engine/ kubernetes-ingress/ nginx-ingress

Question

I'm setting up the ingress for my GKE cluster, everything works but I think I'm missing something here.
The google tutorial states that we need to reserve an external static IP and add A record in our domain to point to such IP, then define both IP and certificate in the ingress rule.
Why can't we just point the domain to the load balancer IP?

Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs?hl=th

1 answers

solution1
 2 ACCPTED  2020-05-04 11:32:51

I think we have some misconceptions here. Let me explain a little bit more.

Your question shows nothing that you are using nginx-ingress . There is nothing besides a tag that is acknowledging it. Please update your question with information which controller you are actually using.

It's important because gke-ingress and nginx-ingress are 2 different resources. The guide that you are referencing is specific to gke-ingress . Annotations used there will not work with nginx-ingress . If you were following the guide step by step you used a gke-ingress and not nginx-ingress .

According to question in the title:

Why google-managed SSL certificate requires domain DNS to point to a static IP address instead of the load balancer itself?

The static IP address mentioned is a reserved resource and it's specifically created not to change.

This IP address will be used with a Ingress resource with your GKE cluster. This will ensure that the Ingress resource will always have the same IP address and your domain will always point to it.

Deletion of your Ingress resource when it was created without a static ip address can lead to situation that a recreated Ingress will have a different IP address.

From above explanation: You can point with your domain name to an IP address that is no longer associated with your Ingress resource because your Ingress has another IP address.

GCP operate on 2 types of IP addresses:

  • Ephemeral
  • Static

Please take a look on official documentation about IP addresses on GCP: Cloud.google.com: Compute: IP addresses

Additionally there is an article which shows the differences between service object of type LoadBalancer and Ingress resource.

Please let me know if you have any questions in that.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Subdomain & Pricing of Google-managed SSL certificate in Load Balancing Can not delete Google-managed SSL certificate Adding Google-managed, auto-renewing SSL custom domain with cloudflare DNS Google App Engine custom domain is not activating Google-Managed SSL Google Managed Certificate with ip address How to set DNS records for my domain to reference the IP address of my load balancer also getting FAILED_NOT_VISIBLE in LB Google Cloud Console SSL Certificate For AWS Load Balancer Ssl certificate on a tcp load balancer? How to remove SSL certificate from Load balancer on Google Cloud Platform? AWS Load Balancer, Static IP's and SSL termination on the server (not load balancer)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM