This page shows how you can use Google-managed SSL certificates for secureIngresson GKE. You learn how to use Google's automated certificatemanagement service to simplify HTTPS encryption for your applications.

These certificates are Domain Validation (DV) certificates that Google provisions,renews, and manages for your domain names. These certificates don't demonstrateyour individual or organizational identity.

This page is for Networking specialists and Security specialists who planand implement network security, and who develop and maintain security policies. Tolearn more about common roles and example tasks that we reference inGoogle Cloud content, seeCommon GKE user roles and tasks.

Before reading this page, ensure that you have a working knowledge of GKE,and a good understanding ofnetworkingandnetwork security.

To learn how to create Google-managed certificates with Google Cloud, seeGoogle-managed certificates.

Note: This feature is only available with Ingress for external Application Load Balancers.

Creating an Ingress with a Google-managed certificate

To configure a Google-managed SSL certificate and associate it withan Ingress, you need to:

• Create aManagedCertificate object in the same namespace as the Ingress.
• Associate theManagedCertificate object to an Ingress by adding thenetworking.gke.io/managed-certificates annotation to the Ingress. Thisannotation is a comma-separated list ofManagedCertificate objects.

Note: Using Google-managed SSL certificates with Ingress doesn't affect how youconfigureIngress traffic rules.

Limitations

Google-managed certificates are less flexible than certificates you obtain andmanage yourself. Google-managed certificates support up to 100 non-wildcarddomains. Unlike self-managed certificates, Google-managed certificates don'tsupport wildcard domains.

If you require self-managed certificates or if you already own SSL certificatesthat you would like to configure on your Ingress, seeSetting up HTTPS (TLS)between client and loadbalancer.

The number and type of certificates supported by an Ingress are defined by thelimits of Google-managed SSLcertificates.

Updates on Google-managed certificates are not supported. For more information,seeManually updating a Google-managed certificate.

If the certificate is revoked directly with the Certificate Authority, Googledoes not automatically rotate the certificate. You must delete theManagedCertificate and create a new one.

Warning: The load balancer's target proxy created by ingress resource canreference up to 15 Compute Engine SSL certificates. Ingress's annotationingress.gcp.kubernetes.io/pre-shared-cert includes all SSL certificatesmanaged-certificates andself-managed that are provisioned with the loadbalancer's target proxy.

Prerequisites

• You must own the domain name. The domain name must be no longer than 63characters. You can use any domain name registrar to obtain a domain name.

  Note: Google Domains is no longer in operation. Squarespace now manages domainspreviously purchased from Google Domains. You can manage your domain and its DNSrecords from your Squarespaceaccount.

• If you use a GKE Standard cluster, theHttpLoadBalancing add-on must be enabled.

• Your Ingress manifest must include thekubernetes.io/ingress.class: "gce"annotation. TheingressClassName field is not supported.

• You must applyIngress andManagedCertificate resources in the same projectand namespace.

• Create areserved (static) external IP address.Reserving a static IP address ensures that it remains yours, even ifyou delete the Ingress. If you don't reserve an IP address, it might change,requiring you to reconfigure your domain's DNS records. Use Google Cloud CLI orthe Google Cloud console to create a reserved IP address.

  gcloud

  To create a reserved IP address, run the following command:

  gcloudcomputeaddressescreateADDRESS_NAME--global

  ReplaceADDRESS_NAME with the name of the reservedIP address you are creating.

  To find the static IP address you created, run the following command:

  gcloudcomputeaddressesdescribeADDRESS_NAME--global

  The output is similar to the following:

  address: 203.0.113.32...

  Console

  To create a reserved IP address, perform the following steps:

  1. Go to theExternal IP addresses page in the Google Cloud console.

     Go to External IP addresses

  2. Specify a name for the IP address (for example,example-ip-address).

  3. Specify if you want anIPv4 orIPv6 address.

  4. Select theGlobal option forType.

  5. ClickReserve.The IP address is listed in theExternal Address column.

  Config Connector

  Note: This step requiresConfig Connector. Follow theinstallation instructions to install Config Connector on your cluster.

  apiVersion:compute.cnrm.cloud.google.com/v1beta1kind:ComputeAddressmetadata:name:example-ip-addressspec:location:global

  To deploy this manifest, download it to your machine ascompute-address.yaml,and run:

  kubectlapply-fcompute-address.yaml

Setting up a Google-managed certificate

1. Create aManagedCertificate object. This resource specifies thedomains for the SSL certificate. Wildcard domains are not supported.

   The following manifest describes aManagedCertificate object. Save themanifest asmanaged-cert.yaml.

   apiVersion:networking.gke.io/v1kind:ManagedCertificatemetadata:name:managed-certspec:domains:-FQDN_1-FQDN_2

   Replace the following:

   • FQDN_1,FQDN_2:Fully-qualified domain names that you own. For example,example.com andwww.example.com.

2. Apply the manifest to your cluster:

   kubectlapply-fmanaged-cert.yaml

3. Create a Service of typeNodePort to expose your application to the internet.

   The following manifest describes a Service of typeNodePort. Save themanifest asmc-service.yaml.

   apiVersion:v1kind:Servicemetadata:name:mc-servicespec:selector:app:mc-servicetype:NodePortports:-protocol:TCPport:80targetPort:8080

4. Apply the manifest to your cluster:

   kubectlapply-fmc-service.yaml

   Note: For thisManagedCertificate object to becomeActive, you mustattach it to an Ingress. TheManagedCertificate does not haveto already beActive for you to attach it to an Ingress.

5. Create an Ingress.

   The following manifest describes an Ingress that uses theManagedCertificate you created. Save the manifest asmanaged-cert-ingress.yaml.

   apiVersion:networking.k8s.io/v1kind:Ingressmetadata:name:managed-cert-ingressannotations:kubernetes.io/ingress.global-static-ip-name:ADDRESS_NAMEnetworking.gke.io/managed-certificates:managed-certkubernetes.io/ingress.class:"gce"spec:defaultBackend:service:name:mc-serviceport:number:SERVICE_PORT

   Replace the following:

   • ADDRESS_NAME: the name of your reserved IP address.
   • SERVICE_PORT: the value ofports.port in yourService manifest.

6. Apply the manifest to your cluster:

   kubectlapply-fmanaged-cert-ingress.yaml

   Note: It might take several hours for Google Cloud to provision the loadbalancer and the managed certificate, and for the load balancer to beginusing the new certificate. For more information, seeDeploy a Google-managed certificate with load balancer authorization.

7. Get the IP address of the load balancer:

   kubectlgetingress

   The output is similar to the following:

   NAME                 HOSTS       ADDRESS         PORTS     AGEmanaged-cert-ingress   *         203.0.113.32     80       54s

   The load balancer's IP address is listed in theADDRESS column. If you areusing a reserved static IP address that will be the load balancer's address.

   If the address is not listed, wait for the Ingress to finish setting up.

8. Configure the DNS records for your domains to point to the IP address of theload balancer. If you use Cloud DNS, seeManaging recordsfor details.

   Note: You must wait for the DNS records you configured to propagate beforecontinuing.

9. Wait for the Google-managed certificate to finish provisioning. This mighttake up to 60 minutes. You can check the status of the certificate using thefollowing command:

   kubectldescribemanagedcertificatemanaged-cert

   The output is similar to the following:

   Name:         managed-certNamespace:    defaultLabels:       <none>Annotations:  <none>API Version:  networking.gke.io/v1Kind:         ManagedCertificate(...)Spec: Domains:FQDN_1FQDN_2Status: CertificateStatus: Active(...)

   The value of theStatus.CertificateStatus field indicates the certificateis provisioned. IfStatus.CertificateStatus is notActive, thecertificate is not yet provisioned.

10. You can check the events on an Ingress by using the following command:

    kubectldescribeingressINGRESS_NAME

    ReplaceINGRESS_NAME with the name of your Ingress.

11. Verify that SSL is working by visiting your domains using thehttps://prefix. Your browser indicates that the connection is secure and you can viewthe certificate details.

Migrating to Google-managed certificates from self-managed certificates

When you migrate an Ingress from using self-managed SSL certificates toGoogle-managed SSL certificates, don't delete any self-managed SSL certificatesbefore the Google-managed SSL certificates are active. After the Google-managedSSL certificates are successfully provisioned, they automatically become active.When the Google-managed SSL certificates are active, you can delete yourself-managed SSL certificates.

Use these instructions for migrating from self-managed to Google-managed SSLcertificates.

1. Add a new Google-managed certificate to the Ingress, as described in theSetting upa Google-managed certificate section.

2. Wait until the status of the Google-managed certificate resource is Active.Check the status of the certificate with the following command:

   kubectldescribemanagedcertificatemanaged-cert

3. When the status isActive, update the Ingress to remove the references tothe self-managed certificate.

Removing a Google-managed certificate

To remove a Google-managed certificate from your cluster you must delete theManagedCertificate object and remove the Ingress annotation that referencesit.

1. Delete theManagedCertificate object:

   kubectldelete-fmanaged-cert.yaml

   The output is similar to the following:

   managedcertificate.networking.gke.io "managed-cert" deleted

2. Remove the annotation from the Ingress:

   kubectlannotateingressmanaged-cert-ingressnetworking.gke.io/managed-certificates-

   Notice the minus sign,-, at the end of the command.

3. Release the static IP address that you reserved for your load balancer.

   You can use the Google Cloud CLI, the Google Cloud console, or Config Connectorto release a reserved IP address.

   gcloud

   Use the following command to release the reserved IP address:

   gcloudcomputeaddressesdeleteADDRESS_NAME--global

   ReplaceADDRESS_NAME with the name of the IPaddress.

   Console

   To release the reserved IP address, perform the following steps:

   1. Go to theExternal IP addresses page in the Google Cloud console.

      Go to External IP addresses

   2. Select the checkbox next to the IP address you want to release.

   3. ClickRelease IP address.

   Config Connector

   Note: This step requiresConfig Connector. Follow theinstallation instructions to install Config Connector on your cluster.

   apiVersion:compute.cnrm.cloud.google.com/v1beta1kind:ComputeAddressmetadata:name:example-ip-addressspec:location:global

   To deploy this manifest, download it to your machine ascompute-address.yaml,and run:

   kubectldelete-fcompute-address.yaml

What's next

• Learn more aboutGoogle-managed certificates.
• Learn how to set up anexternal Application Load Balancer with Ingress.
• Learn how toUse multiple SSL certificates with external Application Load Balancers with Ingress.
• Implement asecure Ingress.