How do you configure a K8s Gateway Resource to use a GKE managed certificate?
I couldn’t find this explicitly in the documentation
https://cloud.google.com/kubernetes-engine/docs/how-to/gatewayclass-capabilities#gateway
I tried using the option networking.gke.io/pre-shared-certs but I think that ends up looking for the Google Certificate object of the given name rather than the certificate created by the GKEManagedCertificate object.
Do we use certificateRefs
Using certificateRefs doesn’t work. That gives the error.
failed to translate Gateway "gateway/platform": Error GWCER105: Listener "platform" is invalid, err: You specified {Group: networking.gke.io, Kind: ManagedCertificate} in the certificate reference, {Group: , Kind: Secret} are the supported values.
Looks like the GKE ManagedCertificate resource isn’t supported with the gateway resource.
https://cloud.google.com/kubernetes-engine/docs/how-to/secure-gateway#create-ssl
The GKE Gateway does not support using the ManagedCertificate resource.
If you are using an external GatewayClass (e.g. gke-l7-gxlb), you can use certificates from Certificate Manager.
If you are using an internal GatewayClass (e.g. gke-l7-rilb), you can use Google-managed SSL certificates, but you’ll need to create an SslCertificate resource rather than using the ManagedCertificate resource.
You can find some sample resource specs here.
To configure a Kubernetes Gateway Resource to use a GKE managed certificate, you can use the certificateRefs field in the Gateway spec. Here’s an example YAML configuration:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: my-gateway spec: selector: istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: my-cert hosts: - my.domain.com
In this configuration, the tls.credentialName field specifies the name of the certificate that you want to use, which should match the metadata.name field of the corresponding GKEManagedCertificate object. For example, if you have a GKEManagedCertificate object named my-cert, you would set tls.credentialName to my-cert.
Note that the GKEManagedCertificate object must be in the same namespace as the Gateway object, and the istio-system namespace must have the gke.io/gce-persistent-disk-rw storage class.
Once you have updated your Gateway configuration, Istio should automatically update the certificate when it is renewed by GKE.
Certificate Manager is now supported for Regional Gateways as well.
Are there any plans to allow cert-manager / ACME protocol to work in google’s GKE deployments? Is this still accurate?
Not exactly sure what you mean here? You can install and manage cert-manager yourself of course.
Are you looking for ACME protocol support from Google Certificate Manager?
I misread this ticket. I assumed that cert-manager was not supported by GKE’s implementation of the gateway API. I have everything working. I’ll retract my previous comments thank you for the response.
@garisingh Hi,
Is there any update that we can use the managedcertificate in the “gke-l7-global-external-managed” gateway?
Still, The Gateway controller does not support the ManagedCertificate resource. You can find more details on here - https://cloud.google.com/kubernetes-engine/docs/how-to/secure-gateway#restrictions_and_limitations.