How do you configure a K8s Gateway Resource to use a GKE managed certificate?
I couldn't find this explicitly in the documentation
https://cloud.google.com/kubernetes-engine/docs/how-to/gatewayclass-capabilities#gateway
I tried using the option `networking.gke.io/pre-shared-certs` but I think that ends up looking for the Google Certificate object of the given name rather than the certificate created by the GKEManagedCertificate object.
Do we use certificateRefs
Solved! Go to Solution.
The GKE Gateway does not support using the ManagedCertificate resource.
If you are using an external GatewayClass (e.g. gke-l7-gxlb), you can use certificates from Certificate Manager.
If you are using an internal GatewayClass (e.g. gke-l7-rilb), you can use Google-managed SSL certificates, but you'll need to create an SslCertificate resource rather than using the ManagedCertificate resource.
You can find some sample resource specs here.
Using certificateRefs doesn't work. That gives the error.
failed to translate Gateway "gateway/platform": Error GWCER105: Listener "platform" is invalid, err: You specified {Group: networking.gke.io, Kind: ManagedCertificate} in the certificate reference, {Group: , Kind: Secret} are the supported values.
Looks like the GKE ManagedCertificate resource isn't supported with the gateway resource.
https://cloud.google.com/kubernetes-engine/docs/how-to/secure-gateway#create-ssl
The GKE Gateway does not support using the ManagedCertificate resource.
If you are using an external GatewayClass (e.g. gke-l7-gxlb), you can use certificates from Certificate Manager.
If you are using an internal GatewayClass (e.g. gke-l7-rilb), you can use Google-managed SSL certificates, but you'll need to create an SslCertificate resource rather than using the ManagedCertificate resource.
You can find some sample resource specs here.
To configure a Kubernetes Gateway Resource to use a GKE managed certificate, you can use the certificateRefs field in the Gateway spec. Here's an example YAML configuration:
In this configuration, the tls.credentialName field specifies the name of the certificate that you want to use, which should match the metadata.name field of the corresponding GKEManagedCertificate object. For example, if you have a GKEManagedCertificate object named my-cert, you would set tls.credentialName to my-cert.
Note that the GKEManagedCertificate object must be in the same namespace as the Gateway object, and the istio-system namespace must have the gke.io/gce-persistent-disk-rw storage class.
Once you have updated your Gateway configuration, Istio should automatically update the certificate when it is renewed by GKE.