sslkubernetesgoogle-kubernetes-engine

GKE Autopilot: How to add/manage SSL Certificate to GKE autopilot


I recently set up a GKE autopilot but realized it doesn't support webhooks which cert-manager is dependent on. What are the other options we have to add/manage SSL certificates to a GKE auto-pilot cluster?


Solution

  • As of May 2021, GKE Autopilot has no support for 3rd party webhooks. Without webhooks, many Kubernetes plugins such as cert-manager cannot operate correctly. Cert-manager uses a custom mutating admission webhook to manage certificates, which is immutable on GKE Autopilot.

    To add/manage SSL certificates for Autopilot clusters, you should first start with this official GCP doc Google-managed SSL certificates.

    You can configure Google-managed SSL certificates using a ManagedCertificate custom resource, which is available in different API versions, depending on your GKE cluster version. It's recommended that you use a newer API version.

    Note: Google-managed SSL certificates aren't currently supported for internal HTTPS load balancers. For internal HTTPS load balancers, use self-managed SSL certificates instead. This feature is only available for Ingress for External HTTP(S) Load Balancing, can read more here.

    To configure a Google-managed SSL certificate and associate it with an Ingress, follow the two basic steps first:

    You have to follow some prerequisites:

    For setting up a Google-managed certificate, go through the sample ManagedCertificate manifest.