search

GoogleCloudPlatform / gke-managed-certs

Managed Certificates for Kubernetes clusters using GCLB
Apache License 2.0
246 stars 32 forks source link

Using ManagedCertificate with Gateway API #55

Closed masus04 closed 2 years ago

masus04 commented 2 years ago

According to the Deploying Gateways post, I've been trying to deploy a Gateway using an existing ManagedCertificate.

I have used the ManagedCertificate with an Ingress before, so I assume it is configured correctly.

I then tried to reference it in the Gateway as follows:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: {{ .Values.gateway.name }}
spec:
  gatewayClassName: gke-l7-gxlb
  listeners:
  - name: https
    protocol: HTTPS
    port: 443
    allowedRoutes:
      kinds:
      - kind: HTTPRoute
    tls:
      mode: Terminate
      options:
        networking.gke.io/pre-shared-certs: {{ .Values.certificates.managedCertName | quote }}
  addresses:
  - type: NamedAddress
    value: {{ .Values.gateway.staticIPName }}

which results in the Gateway logging the following event/error:

Warning  SYNC    24s (x5 over 8m26s)  sc-gateway-controller  failed to translate Gateway "default/{{managedCertName}}": Error GWCER105: Listener "https" is invalid, err: SslCertificate "global/sslCertificates/{{managedCertName}}" does not exist.

Any ideas on how I can fix this?

PS: I also can't remove the Gateway as soon as it's deployed, but that might be a separate issue.

krzykwas commented 2 years ago

Please see the limitations section in the readme. Why did you assume Gateway is supported?

masus04 commented 2 years ago

According to the limitations section, creating a secret automatically is not supported, however, using an existing one is. That led me to believe it was possible to create a managed secret resource and reference it in the gateway, as it would be an "existing secret".

krzykwas commented 2 years ago

GKE Gateway can use Compute API SslCertificate resources. ManagedCertificate is a Kubernetes resource (which actually is implemented on top of SslCertificates too). GKE Gateway cannot use ManagedCertificates, though. It's explained in the readme that only GKE Ingress is supported.

We've recently launched an integration between GKE Gateway and Cloud Certificate Manager. It may suit your needs.