Using Google-managed SSL certificates

Autopilot Standard

This page shows how you can use Google-managed SSL certificates for secure Ingress on GKE. You learn how to use Google's automated certificate management service to simplify HTTPS encryption for your applications.

These certificates are Domain Validation (DV) certificates that Google provisions, renews, and manages for your domain names. These certificates don't demonstrate your individual or organizational identity.

This page is for Networking specialists and Security specialists who plan and implement network security, and who develop and maintain security policies. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks.

Before reading this page, ensure that you have a working knowledge of GKE, and a good understanding of networking and network security.

To learn how to create Google-managed certificates with Google Cloud, see Google-managed certificates.

Creating an Ingress with a Google-managed certificate

To configure a Google-managed SSL certificate and associate it with an Ingress, you need to:

Create a ManagedCertificate object in the same namespace as the Ingress.
Associate the ManagedCertificate object to an Ingress by adding the networking.gke.io/managed-certificates annotation to the Ingress. This annotation is a comma-separated list of ManagedCertificate objects.

Limitations

Google-managed certificates are less flexible than certificates you obtain and manage yourself. Google-managed certificates support up to 100 non-wildcard domains. Unlike self-managed certificates, Google-managed certificates don't support wildcard domains.

If you require self-managed certificates or if you already own SSL certificates that you would like to configure on your Ingress, see Setting up HTTPS (TLS) between client and load balancer.

The number and type of certificates supported by an Ingress are defined by the limits of Google-managed SSL certificates.

Updates on Google-managed certificates are not supported. For more information, see Manually updating a Google-managed certificate.

If the certificate is revoked directly with the Certificate Authority, Google does not automatically rotate the certificate. You must delete the ManagedCertificate and create a new one.

Prerequisites

You must own the domain name. The domain name must be no longer than 63 characters. You can use any domain name registrar to obtain a domain name.

Note: Google Domains is no longer in operation. Squarespace now manages domains previously purchased from Google Domains. You can manage your domain and its DNS records from your Squarespace account.
If you use a GKE Standard cluster, the HttpLoadBalancing add-on must be enabled.
Your Ingress manifest must include the kubernetes.io/ingress.class: "gce" annotation. The ingressClassName field is not supported.
You must apply Ingress and ManagedCertificate resources in the same project and namespace.
Create a reserved (static) external IP address. Reserving a static IP address ensures that it remains yours, even if you delete the Ingress. If you don't reserve an IP address, it might change, requiring you to reconfigure your domain's DNS records. Use Google Cloud CLI or the Google Cloud console to create a reserved IP address.
gcloud
To create a reserved IP address, run the following command:
```
gcloud compute addresses create ADDRESS_NAME --global
```
Replace ADDRESS_NAME with the name of the reserved IP address you are creating.

To find the static IP address you created, run the following command:
```
gcloud compute addresses describe ADDRESS_NAME --global
```
The output is similar to the following:
```
address: 203.0.113.32
...
```
Console
To create a reserved IP address, perform the following steps:
1. Go to the External IP addresses page in the Google Cloud console.
  
  Go to External IP addresses
2. Specify a name for the IP address (for example, example-ip-address).
3. Specify if you want an IPv4 or IPv6 address.
4. Select the Global option for Type.
5. Click Reserve. The IP address is listed in the External Address column.
Config Connector
Note: This step requires Config Connector. Follow the installation instructions to install Config Connector on your cluster.
apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeAddress metadata: name: example-ip-address spec: location: global
To deploy this manifest, download it to your machine as compute-address.yaml, and run:
```
kubectl apply -f compute-address.yaml
```

Setting up a Google-managed certificate

Create a ManagedCertificate object. This resource specifies the domains for the SSL certificate. Wildcard domains are not supported.

The following manifest describes a ManagedCertificate object. Save the manifest as managed-cert.yaml.
```
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: managed-cert
spec:
  domains:
    - FQDN_1
    - FQDN_2
```
Replace the following:
- FQDN_1, FQDN_2: Fully-qualified domain names that you own. For example, example.com and www.example.com.
Apply the manifest to your cluster:
```
kubectl apply -f managed-cert.yaml
```

Create a Service of type NodePort to expose your application to the internet.

The following manifest describes a Service of type NodePort. Save the manifest as mc-service.yaml.

apiVersion: v1
kind: Service
metadata:
  name: mc-service
spec:
  selector:
    app: mc-service
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

Apply the manifest to your cluster:
```
kubectl apply -f mc-service.yaml
```
Note: For this ManagedCertificate object to become Active, you must attach it to an Ingress. The ManagedCertificate does not have to already be Active for you to attach it to an Ingress.

Create an Ingress.

The following manifest describes an Ingress that uses the ManagedCertificate you created. Save the manifest as managed-cert-ingress.yaml.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: managed-cert-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: ADDRESS_NAME
    networking.gke.io/managed-certificates: managed-cert
    kubernetes.io/ingress.class: "gce"
spec:
  defaultBackend:
    service:
      name: mc-service
      port:
        number: SERVICE_PORT

Replace the following:

ADDRESS_NAME: the name of your reserved IP address.
SERVICE_PORT: the value of ports.port in your Service manifest.

Apply the manifest to your cluster:
```
kubectl apply -f managed-cert-ingress.yaml
```
Note: It might take several hours for Google Cloud to provision the load balancer and the managed certificate, and for the load balancer to begin using the new certificate. For more information, see Deploy a Google-managed certificate with load balancer authorization.
Get the IP address of the load balancer:
```
kubectl get ingress
```
The output is similar to the following:
```
NAME                 HOSTS       ADDRESS         PORTS     AGE
managed-cert-ingress   *         203.0.113.32     80       54s
```
The load balancer's IP address is listed in the ADDRESS column. If you are using a reserved static IP address that will be the load balancer's address.

If the address is not listed, wait for the Ingress to finish setting up.
Configure the DNS records for your domains to point to the IP address of the load balancer. If you use Cloud DNS, see Managing records for details.

Note: You must wait for the DNS records you configured to propagate before continuing.
Wait for the Google-managed certificate to finish provisioning. This might take up to 60 minutes. You can check the status of the certificate using the following command:
```
kubectl describe managedcertificate managed-cert
```
The output is similar to the following:
```
Name:         managed-cert
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  networking.gke.io/v1
Kind:         ManagedCertificate
(...)
Spec:
 Domains:
   FQDN_1
   FQDN_2
Status:
 CertificateStatus: Active
(...)
```
The value of the Status.CertificateStatus field indicates the certificate is provisioned. If Status.CertificateStatus is not Active, the certificate is not yet provisioned.
You can check the events on an Ingress by using the following command:
```
kubectl describe ingress INGRESS_NAME
```
Replace INGRESS_NAME with the name of your Ingress.
Verify that SSL is working by visiting your domains using the https:// prefix. Your browser indicates that the connection is secure and you can view the certificate details.

Migrating to Google-managed certificates from self-managed certificates

When you migrate an Ingress from using self-managed SSL certificates to Google-managed SSL certificates, don't delete any self-managed SSL certificates before the Google-managed SSL certificates are active. After the Google-managed SSL certificates are successfully provisioned, they automatically become active. When the Google-managed SSL certificates are active, you can delete your self-managed SSL certificates.

Use these instructions for migrating from self-managed to Google-managed SSL certificates.

Add a new Google-managed certificate to the Ingress, as described in the Setting up a Google-managed certificate section.
Wait until the status of the Google-managed certificate resource is Active. Check the status of the certificate with the following command:
```
kubectl describe managedcertificate managed-cert
```
When the status is Active, update the Ingress to remove the references to the self-managed certificate.

Removing a Google-managed certificate

To remove a Google-managed certificate from your cluster you must delete the ManagedCertificate object and remove the Ingress annotation that references it.

Delete the ManagedCertificate object:

kubectl delete -f managed-cert.yaml

The output is similar to the following:

managedcertificate.networking.gke.io "managed-cert" deleted

Remove the annotation from the Ingress:

kubectl annotate ingress managed-cert-ingress networking.gke.io/managed-certificates-

Notice the minus sign, -, at the end of the command.

Release the static IP address that you reserved for your load balancer.

You can use the Google Cloud CLI, the Google Cloud console, or Config Connector to release a reserved IP address.
gcloud
Use the following command to release the reserved IP address:
```
gcloud compute addresses delete ADDRESS_NAME --global
```
Replace ADDRESS_NAME with the name of the IP address.
Console
To release the reserved IP address, perform the following steps:
1. Go to the External IP addresses page in the Google Cloud console.
  
  Go to External IP addresses
2. Select the checkbox next to the IP address you want to release.
3. Click Release IP address.
Config Connector
Note: This step requires Config Connector. Follow the installation instructions to install Config Connector on your cluster.
apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeAddress metadata: name: example-ip-address spec: location: global
To deploy this manifest, download it to your machine as compute-address.yaml, and run:
```
kubectl delete -f compute-address.yaml
```

What's next

Learn more about Google-managed certificates.
Learn how to set up an external Application Load Balancer with Ingress.
Learn how to Use multiple SSL certificates with external Application Load Balancers with Ingress.
Implement a secure Ingress.