Setting up DNS and TLS in GCP
To host any service/model endpoints a domain has to be used to expose them to the external world or to an internal network. Below document will help you to set the same in your GCP GKE standard cluster. Any number of domains can be setup for your cluster.
Setting up DNS
There are two kind of domains that you can setup for TrueFoundry workloads
- Wild card domains - *.example.com, *.tfy.example.com, *.ml.example.com
- Non wild card domains - tfy.example.com, dev.example.com, prod.example.com
Wild card domains (recommended)
In wild card domains a subdomain wildcard is dedicatedly used to resolve endpoints in the GKE cluster. Some of the samples are given below where example.com is your domain. The services will be exposed like
- service1.tfy.example.com
- service2.tfy.example.com
Non wild card domains
In non-wild card domains a dedicated domain is used to resolve endpoints. Some of the samples for service endpoints will look like
- tfy.example.com/service1
- tfy.example.com/service2
Load balancer IP address
Once a domain name is decided a DNS record is to be mapped with the load balancer IP address in the GKE cluster. To get the load balancer's IP address run the following command
kubectl get svc -n istio-system tfy-istio-ingress -ojsonpath={.status.loadBalancer.ingress[0].ip}
Create a DNS record in your cloud DNS or your DNS provider with the following details
| Record Type | Record Name | Record value |
|---|---|---|
| A | *.tfy.example.com | LOADBALANCER_IP_ADDRESS |
Setting up TLS
There are two ways primarily through we can add TLS to the load balancer in GCP
- Using cert-manager + GCP cloud DNS (recommended) - Through this certs get renewed automatically
- Using Certificate and key files - Through this pre-created certs are added to istio
Updated 3 days ago