kubernetesgoogle-kubernetes-enginelets-encryptcert-managerkubernetes-gateway-api

Lets Encrypt SSL on GKE Gateway w/ Regional Static IP (and all Standard Tier Networking)? Cert-Manager won't replace the CA in the cert


I have a proof of concept personal project migrating a web app to Kubernetes on GCE (GKE). It's OK if load times are a little longer. Minimizing costs is important.

Relevant project specs: Single cluster Standard Tier networking Regional Gateway (TLS will terminate in that specific region only and not necessarily at the nearest global Google PoP) Regional IP All nodes in the same region

Now I am trying to set up Let's Encrypt SSL on my page by following the guides below: text <-- this one uses an Ingress instead of a Gateway, but same basic principle text <-- this one uses a Gateway, but on a Google Global Load Balancer which is on the Premium Tier. On the Premium Tier you may as well use a free Google managed SSL cert instead, which is not offered on Standard Tier text <-- this one is the original cert-manager guide. It's a bit dated, and specifically for Ingress, not Gateway.

My issue is, the guides ask you to create a self-signed cert first, and then cert-manager will realize the CA is incorrect and automatically update it once the secret is provisioned on the Gateway. For me, that doesn't happen. It remains self-signed by myself and the CA is never updated to Lets Encrypt.

I have followed the guides to a T using the same Nginx image/ service/ httproute mentioned. My Gateway will route HTTP traffic fine on port 80. The guides say cert-manager is supposed to automatically update the CA when I put in the secret for HTTPS traffic on port 443.

Code sample from my Gateway below:

spec:
  gatewayClassName: gke-l7-regional-external-managed #single cluster regional external load balancer. TLS terminates at this regional LB instead of at various global PoPs
  addresses: 
  - type: NamedAddress #references the name of the static ip address
    value: main
  listeners:
#HTTP below this line
  - name: any-http
    hostname: "*.--------------.com"
    port: 80
    protocol: HTTP
    allowedRoutes:
      kinds:
      - kind: HTTPRoute
      namespaces:
         from: All 
#HTTPS below this line
  - hostname: "www.---------------.com"
    name: any-https
    protocol: HTTPS
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: secret-tls
    allowedRoutes:
      kinds:
      - kind: HTTPRoute
      namespaces:
        from: All

Has anyone ever done this successfully on a Regional load balancer on a Gateway with GKE?


Solution

  • Per

    cert-manager https://cert-manager.io/docs/usage/gateway/

    and

    K8s https://gateway-api.sigs.k8s.io/implementations/

    🚧 cert-manager 1.8+ is tested with v1alpha2 Kubernetes Gateway API. It should also work with v1beta1 because of resource conversion, but has not been tested with it.

    Evidently it does not yet work with v1beta1 as of this writing 8/25/23 11PM EST. I will stay tuned for the next release of cert-manager which is expected any day now since they tend to release every 3-4 months and their last release was in May 2023.