Adding >15 certs to GKE ingress

[immber]

I'm using managed certs (1 domain/cert) with a kubernetes ingress on GKE, and am running into the limit of not being able to add more than 15 certs to the ingress.

Is there a work around to point more than 15 domains at a GKE cluster or is that not possible using managed certs?

[nd2s]

I also just ran into this issue. Isn't there some quota one can increase?

Only allowing a single domain per certificate and then severely limiting the number of certificates is a bit strange. Domain with and without www uses up two certs already...

[YngveMolnes]

The quota is 15 certificates per frontend-configuration for a given google load balancer. If you add more frontend configurations, i.e. more IPv4 / IPv6-adresses you can add additional certificates. I haven't tested this with managed certificates though.

[krzykwas]

0.4.2 / GKE 1.16.5-gke.1+ supports multi-SAN using ManagedCertificate v1beta2

It is not possible to add more than 15 certificates to a single load balancer.

[ptomasroos]

This made my day. Have a great weekend

[immber]

While multi san support is great if you're setting up a bunch of domains all at once, there is still the issue where you can not edit a managed cert to update it to add additional domains after it's been created.

Per @YngveMolnes comment about adding more front end configurations, I've since been able to test this with Managed Certs and can confirm that it works.

While Google's GKE support insists that the max # of managed cert annotations that can be added to an ingress is 15, I've successfully exceed that limit by adding additional IPs, Forwarding Rules, and Target Proxies to a cluster with a single annotated ingress.

Steps I used to get >15 managed certs on an ingress with multiple front end configurations:

• have a GKE cluster configured with an Ingress with 15 cert annotations, with an existing HTTPS TP with 15 certs
• create a new static IP
• point DNS for your new domains to the new ip
• create managed certs for new domains
• get the URL map for your existing ingress, then use that to create a new HTTPS Target Proxy with the new certs
• create a new HTTPS Forwarding Rule to map the new ip to the new HTTPS TP
• add the additional cert annotations to the ingress yaml and apply the ingress
• create a new global HTTP forwarding rule to facilitate the upgrade to HTTPS

[krzykwas]

There are two limits: a hard limit of 15 certificates per load balancer, and a quota-controlled limit of number of certificates per project.