Reputation: 175
GKE Autopilot: How to add/manage SSL Certificate to GKE autopilot
I recently set up a GKE autopilot but realized it doesn't support webhooks which cert-manager is dependent on. What are the other options we have to add/manage SSL certificates to a GKE auto-pilot cluster?
Upvotes: 9
Views: 3936
Answers (3)
Reputation: 787
I have been facing an issue while configuring Certificate-Manager with Autopilot GKE Cluster, the error I was getting is below:
Internal error occurred: failed calling webhook "webhook.cert-manager.io":failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/validate?timeout=30s": tls: failed to verify certificate: x509: certificate signed by unknown authority
I was trying to follow the below document:
The discussion on this thread, particularly the below link helped me to troubleshoot and identify the issue:
https://github.com/cert-manager/cert-manager/issues/3717
Basically, you need to install the Cert-Manager through Helm and override the global.leaderElection.namespace with the namespace you are deploying everything into usually it should be cert-manager, so you should execute below commands:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.6.0 --set global.leaderElection.namespace=cert-manager --set installCRDs=true --set prometheus.enabled=false
Thanks to @Brad J and Priya Gaikwad for putting useful information above.
Upvotes: 0
Reputation: 495
As of May 2021, GKE Autopilot has no support for 3rd party webhooks. Without webhooks, many Kubernetes plugins such as cert-manager cannot operate correctly. Cert-manager uses a custom mutating admission webhook to manage certificates, which is immutable on GKE Autopilot.
To add/manage SSL certificates for Autopilot clusters, you should first start with this official GCP doc Google-managed SSL certificates.
You can configure Google-managed SSL certificates using a ManagedCertificate custom resource, which is available in different API versions, depending on your GKE cluster version. It's recommended that you use a newer API version.
- ManagedCertificate v1beta2 API is available in GKE cluster versions 1.15 and later.
- ManagedCertificate v1 API is available in GKE cluster versions 1.17.9-gke.6300 and later.
Note: Google-managed SSL certificates aren't currently supported for internal HTTPS load balancers. For internal HTTPS load balancers, use self-managed SSL certificates instead. This feature is only available for Ingress for External HTTP(S) Load Balancing, can read more here.
To configure a Google-managed SSL certificate and associate it with an Ingress, follow the two basic steps first:
- Create a ManagedCertificate object in the same namespace as the Ingress.
- Associate the ManagedCertificate object to an Ingress by adding an annotation networking.gke.io/managed-certificates to the Ingress. This annotation is a comma-separated list of ManagedCertificate resources, cert1,cert2,cert3 for example. Which is mentioned in detail here.
You have to follow some prerequisites:
- You must own the domain name (Google Domains or another registrar).
- Your "kubernetes.io/ingress.class" must be "gce".
- Create a reserved (static) external IP address. If you do not reserve an address, it may change, requiring you to reconfigure your domain's DNS records.
For setting up a Google-managed certificate, go through the sample ManagedCertificate manifest.
Upvotes: 8
Related Questions
- How enable google managed certificate on Google Kubernetes?
- GKE update SSL certificate from Google-managed to self-managed
- How to use the Google Managed Certificate for GKE Kubernetes
- How to put self-signed certificate to each node of GKE cluster?
- GKE Loadbalancer how to add SSL Certs
- Loading certificate to GKE service
- Enabling SSL on GKE endpoints not working correctly
- How to configure a SSL certificate to be used by Kubernetes with Google Cloud?
- GKE Managed Certificate not serving over HTTPS
- EV SSL Certificate in Kubernetes