Closed evilr00t closed 4 years ago
I've verified myself that GKE Managed Certificates indeed work with CNAMEs. The CNAME must point at a Google external LB IP address.
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: test-certificate
spec:
domains:
- a.example.com
a.example.com. IN CNAME b.example.com.
b.example.com. IN A <
apiVersion: v1
items:
- apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
generation: 3
name: test-certificate
namespace: default
resourceVersion: "467678219"
uid: 29b0da0a-e828-40b5-85d2-0bb717df8b24
spec:
domains:
- enrol-qat.apps.reducted.edu
status:
certificateName: mcrt-88083bef-13ee-489f-97c6-9d1d3867d68e
certificateStatus: Provisioning
domainStatus:
- domain: enrol-qat.apps.reducted.edu
status: FailedNotVisible
kind: List
metadata:
resourceVersion: ""
while
❯ dig A enrol-qat.apps.reducted.edu
; <<>> DiG 9.10.6 <<>> A enrol-qat.apps.reducted.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15697
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;enrol-qat.apps.reducted.edu. IN A
;; ANSWER SECTION:
enrol-qat.apps.reducted.edu. 3600 IN CNAME classpath.ut1.reducted.ai.
classpath.ut1.reducted.ai. 300 IN A 34.36.91.*
Hello!
I don't know if this is a known issue altho I've faced it using gke-managed-certs. If domain used for cert is a CNAME record then it does not work - even though it resolves to LB IP address.
LetsEncrypt as far I know allows to use CNAME - so I would assume this is a managed-certs issue.