This page shows you how to configure multiple SSL certificates for Ingressresources in Google Kubernetes Engine (GKE) clusters.

Overview

If you want to accept HTTPS requests from your clients, theApplication Load Balancer must have a certificate so it can prove its identity toyour clients. The load balancer must also have a private key to complete theHTTPS handshake.

When the load balancer accepts an HTTPS request from a client, the trafficbetween the client and the load balancer is encrypted using TLS. However, theload balancer terminates the TLS encryption, and forwards the request withoutencryption to the application. When you configure an Application Load BalancerthroughIngress, youcan configure the load balancer to present up to 15 TLS certificates to theclient.

The load balancer uses Server Name Indication (SNI) to determine whichcertificate to present to the client, based on the domain name in the TLShandshake. If the client does not use SNI, or if the client uses a domain namethat does not match the Common Name (CN) in one of the certificates, the loadbalancer uses the first certificate listed in the Ingress.

The following diagram shows the load balancer sending traffic to differentbackends, depending on the domain name used in the request:

You can provide an Application Load Balancer with SSL certificates using thefollowing methods:

• Google-managed SSL certificates.Refer to the managed certificates page for information on how to use them.

• Google Cloud SSL certificate that you manage yourself. The SSL Certificateuses a pre-shared certificate you upload to your Google Cloud project.

• KubernetesSecrets.The Secret holds a certificate and key that you create yourself. You add thename of the Secret to thetls field of your Ingress manifest.

You can use more than one method in the same Ingress. This allows forno-downtime migrations between methods.

The big picture

Here's an overview of the steps in this document:

1. Create a Deployment.

2. Create a Service.

3. Create two certificate files and two key files or twoManagedCertificateobjects. You must configure these certificates in the same project and thesame namespace as where the load balancer is deployed.

4. Create an Ingress that uses either Secrets or pre-shared certificates.When you create the Ingress, GKE creates and configures anApplication Load Balancer.

5. Test the Application Load Balancer.

Before you begin

Before you start, make sure that you have performed the following tasks:

• Enable the Google Kubernetes Engine API.
Enable Google Kubernetes Engine API
• If you want to use the Google Cloud CLI for this task,install and theninitialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running thegcloud components update command. Earlier gcloud CLI versions might not support running the commands in this document.Note: For existing gcloud CLI installations, make sure to set thecompute/regionproperty. If you use primarily zonal clusters, set thecompute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following:One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

• You must own two domain names. The domain names must be no longer than 63characters.
• Ensure that you have an existing Autopilot or Standardcluster. To create a new cluster, seeCreate an Autopilot cluster.

Limitations

• Google-managed certificates are only supported withGKE Ingress using the external Application Load Balancer. Google-managedcertificates don't support third-party Ingress controllers.

• For internal Application Load Balancers, you mustdisable HTTP in the Ingress manifest.This is not required for the external load balancer.

• You must not manually change or update the configuration of theApplication Load Balancer. This means that you must not edit any of theload balancer's components, including target proxies, URL maps, and backendservices. Any changes that you make are overwritten by GKE.

Create a Deployment

1. Save the following manifest asmy-mc-deployment.yaml:

   apiVersion:apps/v1kind:Deploymentmetadata:name:my-mc-deploymentspec:selector:matchLabels:app:productsdepartment:salesreplicas:3template:metadata:labels:app:productsdepartment:salesspec:containers:-name:helloimage:"us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0"env:-name:"PORT"value:"50001"-name:hello-againimage:"us-docker.pkg.dev/google-samples/containers/gke/hello-app:2.0"env:-name:"PORT"value:"50002"

   This manifest describes a Deployment with three Pods. Each Pod has twocontainers. One container runshello-app:1.0 and listens on TCP port 50001.The other container runshello-app:2.0 and listens on TCP port 50002.

2. Apply the manifest to your cluster:

   kubectlapply-fmy-mc-deployment.yaml

Create a Service

1. Save the following manifest asmy-mc-service.yaml:

   apiVersion:v1kind:Servicemetadata:name:my-mc-servicespec:type:NodePortselector:app:productsdepartment:salesports:-name:my-first-portprotocol:TCPport:60001targetPort:50001-name:my-second-portprotocol:TCPport:60002targetPort:50002

   This manifest describes a Service with the following fields:

   • selector: specifies that any Pod that has theapp: products label andthedepartment: sales label is a member of this Service.
   • ports: specifies that when a client sends a request to the Service onmy-first-port, GKE forwards the request to one of themember Pods on port 50001. When a client sends a request to the Service onmy-second-port, GKE forwards the request to one of themember Pods on port 50002.

2. Apply the manifest to your cluster:

   kubectlapply-fmy-mc-service.yaml

Create certificates and keys

To do the exercises on this page, you need two certificates, each with acorresponding key. Each certificate must have a Common Name (CN) that is equalto a domain name that you own.

You can create those certificates manually or use Google-managed certificates.

If you already have two certificate files withthe appropriate values for Common Name, you can skip ahead to the next section.

apiVersion:networking.gke.io/v1kind:ManagedCertificatemetadata:name:FIRST_CERT_NAMEspec:domains:-FIRST_DOMAIN---apiVersion:networking.gke.io/v1kind:ManagedCertificatemetadata:name:SECOND_CERT_NAMEspec:domains:-SECOND_DOMAIN

Specify certificates for your Ingress

The next step is to create an Ingress object. In your Ingress manifest, you canuse one of the following methods to provide certificates for the load balancer:

• Secrets
• Pre-shared certificates
• Google-managed certificates

Test the load balancer

Wait about five minutes for GKE to finish configuring theload balancer.

If you used Google-managed certificates, it might takeconsiderably longer to complete the configuration, as the system needs toprovision the certificates and verify the DNS configuration for given domains.

To test the load balancer, you must own two domain names, and both of yourdomain names must resolve the external IP address of the external Application Load Balancer.

1. Send a request to the load balancer by using your first domain name:

   curl-vhttps://FIRST_DOMAIN

   You might need to use thecurl -k option to perform an insecure SSLtransfer, so thatcurl will accept self-signed certificates.

   The output is similar to the following:

   ...*   Trying 203.0.113.1......* Connected toFIRST_DOMAIN (203.0.113.1) port 443 (#0)...* TLSv1.2 (IN), TLS handshake, Certificate (11):...* Server certificate:*  subject: CN=FIRST_DOMAIN...> Host:FIRST_DOMAIN.com...Hello, world!Version: 1.0.0...

   This output shows that your first certificate was used in the TLS handshake.

2. Send a request to the load balancer by using your second domain name:

   curl-vhttps://SECOND_DOMAIN

   The output is similar to the following:

   ...*   Trying 203.0.113.1......* Connected toSECOND_DOMAIN (203.0.113.1) port 443 (#0)...* Server certificate:*  subject: CN=SECOND_DOMAIN...> Host:SECOND_DOMAIN...Hello, world!Version: 2.0.0

   This output shows that your second certificate was used in the TLShandshake.

The hosts field of an Ingress object

AnIngressSpechas atls field that is an array ofIngressTLSobjects. EachIngressTLS object has ahosts field andSecretName field.In GKE, thehosts field is not used. GKEreads the Common Name (CN) from the certificate in the Secret. If the CommonName matches the domain name in a client request, then the load balancerpresents the matching certificate to the client.

Which certificate is presented?

The load balancerchooses a certificateaccording to these rules:

• If both Secrets and pre-shared certificates are listed in the Ingress, thepre-shared certificates take priority over Secrets. In other words, Secretsare still included but pre-shared certificates are presented first.

• If no certificate has a Common Name (CN) that matches the domain name in theclient request, the load balancer presents the primary certificate.

• For Secrets listed in thetls block, the primary certificate is in the firstSecret in the list.

• For pre-shared certificates listed in theingress.gcp.kubernetes.io/pre-shared-cert annotation, the order in which youlist the certificates determines the primary certificate. The primarycertificate, which is presented when no other certificate matches the client'srequest, is the first certificate listed in the annotation.

• When you use Google-managed certificates, all certificates listed in thenetworking.gke.io/managed-certificates annotation are automatically sortedalphabetically by name. The primary certificate is the one that comes firstin this alphabetical list. To set a specific certificate as the primary, youmust name yourManagedCertificate objects accordingly to control the sortorder. For example, to makemy-default-cert the primary overanother-cert, you might name them0-my-default-cert and1-another-cert.

Certificate rotation best practices

If you want to rotate the contents of your Secret or pre-shared certificate,here are some best practices:

• Create a new Secret or pre-shared certificate with a different name thatcontains the new certificate data. Attach this resource (along with the existingone) to your Ingress using instructions provided earlier. Once satisfied withthe changes, you can remove the old cert from the Ingress.
• If you don't mind disrupting traffic, you can remove the old resource fromthe Ingress, provision a new resource with the same name but different contentsand then reattach it to the Ingress.

To avoid managing certificate rotation yourself, seeUse Google-managed SSL certificates.

Troubleshooting

Specifying invalid or non-existent Secrets results in a Kubernetes event error.You can check Kubernetes events for an Ingress as follows:

kubectldescribeingress

The output is similar to the following:

Name:             my-ingressNamespace:        defaultAddress:          203.0.113.3Default backend:  hello-server:8080 (10.8.0.3:8080)TLS:  my-faulty-Secret terminatesRules:  Host  Path  Backends  ----  ----  --------  *     *     my-service:443 (10.8.0.3:443)Events:   Error during sync: cannot get certs for Ingress default/my-ingress: Secret "my-faulty-ingress" has no 'tls.crt'

What's next

• Read theGKE network overview.

• Learn how toconfigure domain names with static IP addresses.

• Learn how touse Google-managed SSL certificates.

• If you have an application running on multiple GKE clustersin different regions, configure aMulti Cluster Ingressto route traffic to a cluster in the region closest to the user.