Create a GCP managed TLS certificate for the GKE ingress

gke-ingress-manged-tls.md

Solution #1 (ManagedCertificate CRD in GKE)

• GKE with Google-managed SSL certificates
  • Use ManagedCertificate CRD to create a object.
  • Associate the ManagedCertificate object to an Ingress by adding an annotation networking.gke.io/managed-certificates to the Ingress. This annotation is a comma-separated list of ManagedCertificate resources, cert1,cert2,cert3 for example.

Solution #2 (Google Cloud SSL Certificate)

Assumption

Assumes you are using the default L7 GLBC ingress controller. default for GKE cluster.

• ingress-gce

create a certficate

gcloud compute ssl-certificates create ci-example --domains ci.example.com

list a certifcate

gcloud compute ssl-certificates list

checking certificate provisoning status

gcloud compute ssl-certificates describe ci-example

Please note with a correct configuration the total time for provisioning certificates is likely to take from 30 to 60 minutes.

configure the GKE ingress with a preshared cert

• https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress#summary_of_external_ingress_annotations

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ci
  namespace: ci
  annotations:
    ingress.gcp.kubernetes.io/pre-shared-cert: 'ci-example'
spec:
  backend:
    serviceName: jenkins-ui
    servicePort: 8080

ingress.gcp.kubernetes.io/pre-shared-cert is used by ingress-gce

Solution # 3 (k8s secrets)

• https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#specifying_certificates_for_your_ingress

kubectl create secret tls ci-example \
    --cert ci-example.pem --key ci-example-key.pem

SNI with multiple certficates

• https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#google-managed-certs_1