kubernetes google-cloud-platform ssl-certificate google-kubernetes-engine istio

How to Use Already created Google Managed SSL with GKE ingress or ISTIO ingress

I have already a google managed SSL certificate created (with dns verification option). I want to use same certificate in my istio-ingress for SSL. Is there any possible annotations available ?

We can create ManagedCertificate resource in GKE, but it is uses the loadbalancer verification option which does not support wildcard certificate.

What to do if I want to create certificate like (*.example.com) and attached it with istio-ingress or gke ingress ?

Solution

You can create the wild card certificate with the Cert-manger.

Here is my article on requesting the wild card certificate with DNS verification as it's not supported with HTTP.

https://medium.com/@harsh.manvar111/wild-card-certificate-using-cert-manager-in-kubernetes-3406b042d5a2

For GCP DNS verification you can follow official guide : https://cert-manager.io/docs/configuration/acme/dns01/google/

Once auth is successful you will be able to request the certificate and it will get stored in K8s secret.

create a service account :

PROJECT_ID=myproject-id
gcloud iam service-accounts create dns01-solver --display-name "dns01-solver"

Binding policy :

gcloud projects add-iam-policy-binding $PROJECT_ID \
   --member serviceAccount:dns01-solver@$PROJECT_ID.iam.gserviceaccount.com \
   --role roles/dns.admin

K8s secret :

gcloud iam service-accounts keys create key.json \
   --iam-account dns01-solver@$PROJECT_ID.iam.gserviceaccount.com
kubectl create secret generic clouddns-dns01-solver-svc-acct \
   --from-file=key.json

issuer

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: gcp-issuer
spec:
  acme:
    ...
    solvers:
    - dns01:
        cloudDNS:
          # The ID of the GCP project
          project: $PROJECT_ID
          # This is the secret used to access the service account
          serviceAccountSecretRef:
            name: clouddns-dns01-solver-svc-acct
            key: key.json
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: le-crt
spec:
  secretName: tls-secret
  issuerRef: 
    kind: Issuer
    name: letsencrypt-prod
  commonName: "*.devops.example.in"
  dnsNames:
    - "*.devops.example.in"

You can attach this newly auto-created secret to Ingress or Gateway in Istio as per need. That secret will be storing your wild card certificate.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway
  annotations:
      cert-manager.io/issuer: gcp-issuer
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: tls-secret # This should match the Certificate secretName
    hosts:
    - *.devops.example.in