Murali Kotharamban
Go back

Automating Certificate Management using GKE's Managed Certificates

In a previous post, I explored using Let’s Encrypt and cert-manager to automate TLS certificate management on Kubernetes. In this post, we’ll cover how to use GKE Managed Certificates to automate the TLS certificate lifecycle for applications running on Google Kubernetes Engine — no cert-manager required.

We’ll use the Sock Shop demo application again.

Note: At the time of writing, GKE Ingress does not support HTTP to HTTPS redirection when managed certificates are enabled.

Step 1: Deploy the Application

git clone https://github.com/microservices-demo/microservices-demo.git
cd microservices-demo/deploy/kubernetes
kubectl create namespace sock-shop
kubectl apply -f complete-demo.yaml

Verify everything is running:

kubectl get pod -n sock-shop
kubectl get service -n sock-shop

Step 2: Create a Managed Certificate

Update your domain name and apply the ManagedCertificate resource:

# managed-cert.yaml
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: sock-shop-certificate
  namespace: sock-shop
spec:
  domains:
    - example.com
kubectl apply -f managed-cert.yaml

The certificate status will show Provisioning until you attach it to an Ingress — that’s expected. You can proceed to the next step.

kubectl get managedcertificates -n sock-shop
# NAME                    AGE   STATUS
# sock-shop-certificate   12m   Provisioning

Step 3: Create an Ingress with the Managed Certificate

# sock-shop-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: front-end-ingress
  namespace: sock-shop
  annotations:
    networking.gke.io/managed-certificates: sock-shop-certificate
    kubernetes.io/ingress.class: "gce"
spec:
  defaultBackend:
    service:
      name: front-end
      port:
        number: 80
kubectl apply -f sock-shop-ingress.yaml

Step 4: Update DNS

Get the Ingress IP:

kubectl get ingress -n sock-shop
# NAME                CLASS    HOSTS   ADDRESS    PORTS   AGE
# front-end-ingress   <none>   *       X.X.X.X    80      20m

Create an A record in your DNS management pointing your domain to this IP.

Step 5: Verify

Once DNS propagates and the certificate finishes provisioning, your application will be live on HTTPS. GKE handles the certificate issuance, renewal, and rotation automatically.

kubectl get managedcertificates -n sock-shop
# NAME                    AGE   STATUS
# sock-shop-certificate   30m   Active

Access your domain in a browser and verify the certificate — it should show a valid certificate issued by Google Trust Services.

Originally published on Medium — Jun 6, 2021

Share this post on:
Share this post via email
Previous Post
Building a DevSecOps Pipeline Using Open Source Tools
Next Post
Automating Certificate Management for Kubernetes using Cert-Manager and Let's Encrypt