1

I tried to use Google Managed Certificate (not through k8s) in Ingress.

If Ingress is in default namespace, everything works fine using ingress.gcp.kubernetes.io/pre-shared-cert: my-cert-name annotation.

However, if Ingress is in a namespace, it looks for a certificate named my-namespace/my-cert-name. But it's impossible to create a certificate with / in its name.

Using GKE k8s ManagedCertificate everything works fine. How to make it work with a non-k8s ManagedCertificate?

UPDATE: we use Terraform to manage SSL certificates, using google_compute_managed_ssl_certificate resource. We used GKE with Ingress, and tried to use that certificate with it. If Ingress is in default namespace -- everything works fine. If Ingress is in some other namespace -- it's impossible to use that certificate, because Ingress looks for certificate named namespacename/certname instead of certname.

Dzmitry Lazerka
  • 151
  • 10
  • Have you followed instructions listed [here](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs#gcloud)? – Sergiusz Jan 31 '22 at 08:40
  • @Sergiusz it describes GKE (k8s) managed certificate. I'm asking about non-k8s google-managed certificate (we don't use Ingress). Like here: https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs – Dzmitry Lazerka Feb 01 '22 at 09:09
  • Can you clarify your question? Do you use ingress or not? – Sergiusz Feb 01 '22 at 11:38
  • @Sergiusz Sure, sorry. I meant we don't use k8s to manage SSL certificates. We were trying to use namespaced Ingress with them. It seems like if we use Ingress, we can only use K8S-managed certificates, not Google-managed. – Dzmitry Lazerka Feb 07 '22 at 10:52
  • Can you edit your question with more in-depth description of your setup? Which services are you using and what kind of solution you want to implement. – Sergiusz Feb 09 '22 at 10:53
  • Sure, done, see UPDATE – Dzmitry Lazerka Feb 09 '22 at 11:40
  • Ran into same issue with terraform. Used a non default namespace, created deployment, and service there. Now used the GCP managed cert using resource "google_compute_managed_ssl_certificate". Thought I could give name as "namespace/my-cert-name" (per GCP ingress & managed cert have to be in same namespace). . But it failed regex and was unable to create the resource. This is an unlisted limitation of using google managed certificate. I suggest to maybe explore a custom LB, configure it ( you will have more control, SSL, health check etc) and map it to GKE service backend - dump ingress – TechFree Sep 06 '22 at 13:43
  • 1
    @TechFree Yes that's what I did, got rid of Ingress at all, and configured all the LB myself with Terraform. More code, but now it's more predictable, if some config is wrong it fails immediately. They key is to use `cloud.google.com/neg` annotation on a Service, to pick it up with `data google_compute_network_endpoint_group`. – Dzmitry Lazerka Sep 20 '22 at 22:49

1 Answers1

2

This has been suggested, but is currently not supported, you can see the progress here.
It is possible to sync secrets across namespaces using cert-manager but this only works for wildcard certificates.
You would have to move the ingress into the default namespace or use a different certificate provider.

Sergiusz
  • 330
  • 2
  • 14