Securing LightBeam on GKE with Google Certificate Manager and GCE Ingress

Overview

This document provides a comprehensive guide to secure the LightBeam app on a GKE cluster utilizing GCP Certificate Manager on a GCE Ingress using Application Load balancer. The primary goal is to employ a managed certificate issued by GCP to terminate TLS on the LightBeam cluster.

Steps

1. Create an external static global IP address.

1. Associate the value of the above create static IP Address to a FQDN that you want to use to access Lightbeam Endpoint.

2. Populate charts/lightbeam/values.yaml or charts/lightbeam-web-portal/values.yaml

gcp:
 # This is set to true by lb-install.sh when GKE is the kuberentes manager.
 gceIngress: true
 # We launch external LB by default. Set this to true if you would like to launch an internal LB instead.
 internalLb: false
 managedCertificate:
   # Set this to true if you would like to leverage google managed certificates.
   enabled: true
   # Provide the name of the external global static IP address reserved for the external load balancer.
   # Example: lightbeam-gke-static-IP
   externalStaticIPName: "my-lightbeam-gke-ip"
   # Provide FQDN which resolves to the IP address value of 'externalStaticIPName'.
   # Example: lightbeam-gke.lightbeamsecurity.com
   domainName: "my-lightbeam-gke.lightbeamsecurity.com"

gceIngress and managedCertificate.enabled must be set to “true”.

externalStaticIpName should point to the name of the Global static IP address created in Step 1. domainName should point to the FQDN.

1. Install/ Upgrade the LightBeam cluster using the values.yaml.

2. The managed certificate will take anywhere between 20-60 minutes to be provisioned. You can view its progress on GCP console.

1. Once the deployment is complete, you should be able to access LightBeam in a secure manner.