This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How do you use GKE managed certificates with K8s Gateway Resource

Posted on 04-26-2023 04:40 PM
jlewi
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

How do you configure a K8s Gateway Resource to use a GKE managed certificate?

I couldn't find this explicitly in the documentation

https://cloud.google.com/kubernetes-engine/docs/how-to/gatewayclass-capabilities#gateway

I tried using the option `networking.gke.io/pre-shared-certs` but I think that ends up looking for the Google Certificate object of the given name rather than the certificate created by the GKEManagedCertificate object.

Do we use certificateRefs

https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectRefer... ?

Solved Solved
0 10 5,700
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

The GKE Gateway does not support using the ManagedCertificate resource.

If you are using an external GatewayClass (e.g. gke-l7-gxlb), you can use certificates from Certificate Manager.

If you are using an internal GatewayClass (e.g. gke-l7-rilb), you can use Google-managed SSL certificates, but you'll need to create an SslCertificate resource rather than using the ManagedCertificate resource.

You can find some sample resource specs here.

View solution in original post

Jump to Solution
0 Likes
10 REPLIES 10

Posted on --/--/---- --:-- AM
jlewi
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Using certificateRefs doesn't work. That gives the error.

failed to translate Gateway "gateway/platform": Error GWCER105: Listener "platform" is invalid, err: You specified {Group: networking.gke.io, Kind: ManagedCertificate} in the certificate reference, {Group: , Kind: Secret} are the supported values.

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jlewi
Bronze 1
Bronze 1
In response to jlewi
Reply posted on --/--/---- --:-- AM

Looks like the GKE ManagedCertificate resource isn't supported with the gateway resource.

https://cloud.google.com/kubernetes-engine/docs/how-to/secure-gateway#create-ssl

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

The GKE Gateway does not support using the ManagedCertificate resource.

If you are using an external GatewayClass (e.g. gke-l7-gxlb), you can use certificates from Certificate Manager.

If you are using an internal GatewayClass (e.g. gke-l7-rilb), you can use Google-managed SSL certificates, but you'll need to create an SslCertificate resource rather than using the ManagedCertificate resource.

You can find some sample resource specs here.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
In response to garisingh
Reply posted on --/--/---- --:-- AM

Certificate Manager is now supported for Regional Gateways as well.

Jump to Solution

Posted on --/--/---- --:-- AM
safaci_lbl
Bronze 1
Bronze 1
In response to garisingh
Reply posted on --/--/---- --:-- AM

Are there any plans to allow cert-manager / ACME protocol to work in google's GKE deployments? Is this still accurate? 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
In response to safaci_lbl
Reply posted on --/--/---- --:-- AM

Not exactly sure what you mean here?  You can install and manage cert-manager yourself of course.

Are you looking for ACME protocol support from Google Certificate Manager?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
safaci_lbl
Bronze 1
Bronze 1
In response to garisingh
Reply posted on --/--/---- --:-- AM

I misread this ticket.  I assumed that cert-manager was not supported by GKE's implementation of the gateway API.  I have everything working.  I'll retract my previous comments thank you for the response. 

Jump to Solution

Posted on --/--/---- --:-- AM
olivia32
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

To configure a Kubernetes Gateway Resource to use a GKE managed certificate, you can use the certificateRefs field in the Gateway spec. Here's an example YAML configuration:

 

 
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: my-gateway spec: selector: istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: my-cert hosts: - my.domain.com
 

In this configuration, the tls.credentialName field specifies the name of the certificate that you want to use, which should match the metadata.name field of the corresponding GKEManagedCertificate object. For example, if you have a GKEManagedCertificate object named my-cert, you would set tls.credentialName to my-cert.

Note that the GKEManagedCertificate object must be in the same namespace as the Gateway object, and the istio-system namespace must have the gke.io/gce-persistent-disk-rw storage class.

Once you have updated your Gateway configuration, Istio should automatically update the certificate when it is renewed by GKE.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
pradeep-shyftla
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@garisingh  Hi,
Is there any update that we can use the managedcertificate in the "gke-l7-global-external-managed" gateway? 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
mokit
Silver 4
Silver 4
In response to pradeep-shyftla
Reply posted on --/--/---- --:-- AM

Still, The Gateway controller does not support the ManagedCertificate resource. You can find more details on here - https://cloud.google.com/kubernetes-engine/docs/how-to/secure-gateway#restrictions_and_limitations.

Jump to Solution
Top Labels in this Space