This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How do you use GKE managed certificates with K8s Gateway Resource

Posted on 04-26-2023 04:40 PM
jlewi
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

How do you configure a K8s Gateway Resource to use a GKE managed certificate?

I couldn't find this explicitly in the documentation

https://cloud.google.com/kubernetes-engine/docs/how-to/gatewayclass-capabilities#gateway

I tried using the option `networking.gke.io/pre-shared-certs` but I think that ends up looking for the Google Certificate object of the given name rather than the certificate created by the GKEManagedCertificate object.

Do we use certificateRefs

https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectRefer... ?

Solved Solved
0 4 1,966
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

The GKE Gateway does not support using the ManagedCertificate resource.

If you are using an external GatewayClass (e.g. gke-l7-gxlb), you can use certificates from Certificate Manager.

If you are using an internal GatewayClass (e.g. gke-l7-rilb), you can use Google-managed SSL certificates, but you'll need to create an SslCertificate resource rather than using the ManagedCertificate resource.

You can find some sample resource specs here.

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
jlewi
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Using certificateRefs doesn't work. That gives the error.

failed to translate Gateway "gateway/platform": Error GWCER105: Listener "platform" is invalid, err: You specified {Group: networking.gke.io, Kind: ManagedCertificate} in the certificate reference, {Group: , Kind: Secret} are the supported values.

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jlewi
Bronze 1
Bronze 1
In response to jlewi
Reply posted on --/--/---- --:-- AM

Looks like the GKE ManagedCertificate resource isn't supported with the gateway resource.

https://cloud.google.com/kubernetes-engine/docs/how-to/secure-gateway#create-ssl

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

The GKE Gateway does not support using the ManagedCertificate resource.

If you are using an external GatewayClass (e.g. gke-l7-gxlb), you can use certificates from Certificate Manager.

If you are using an internal GatewayClass (e.g. gke-l7-rilb), you can use Google-managed SSL certificates, but you'll need to create an SslCertificate resource rather than using the ManagedCertificate resource.

You can find some sample resource specs here.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
olivia32
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

To configure a Kubernetes Gateway Resource to use a GKE managed certificate, you can use the certificateRefs field in the Gateway spec. Here's an example YAML configuration:

 

 
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: my-gateway spec: selector: istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: my-cert hosts: - my.domain.com
 

In this configuration, the tls.credentialName field specifies the name of the certificate that you want to use, which should match the metadata.name field of the corresponding GKEManagedCertificate object. For example, if you have a GKEManagedCertificate object named my-cert, you would set tls.credentialName to my-cert.

Note that the GKEManagedCertificate object must be in the same namespace as the Gateway object, and the istio-system namespace must have the gke.io/gce-persistent-disk-rw storage class.

Once you have updated your Gateway configuration, Istio should automatically update the certificate when it is renewed by GKE.

Jump to Solution
0 Likes
Top Labels in this Space