Can a GKE Gateway running in one Google Cloud project securely use a Certificate Map that is managed by Certificate Manager in a different project?
I’m looking to implement a “hub and spoke” model where a central project handles all TLS certificates. What is the correct way to configure the Gateway resource, and what specific IAM permissions are required between the projects to make this work?
Thanks!
You can maybe start by this article How do you use GKE managed certificates with K8s Gateway Resource
Not sure though if it applies to your setup as GKE Gateway do not support multi project, yet.
I have not be able to setup GKE Gateway to route to other clusters in other projects… NEG are not created properly.
Yes, a GKE Gateway in one project can use a Certificate Map in another project for a “hub and spoke” TLS setup. To do this, the Gateway’s Gateway resource should reference the fully qualified Certificate Map name in the central project. The GKE service account (or the Gateway controller’s identity) in the consuming project needs roles/certificatemanager.certificateViewer on the Certificate Map and underlying certificates in the central project. Ensure VPC peering or proper network connectivity if needed, and that cross-project IAM bindings are correctly configured so the Gateway can read the certificates securely.
Yes, a GKE Gateway in one project can use a Certificate Map from another project by referencing its full resource name. The Gateway controller’s service account must have the roles/certificatemanager.certificateViewer role on the Certificate Map and its certificates in the central project. Ensure cross-project IAM permissions and network connectivity (such as VPC peering) are properly configured so the Gateway can securely access and use the certificates.