This blog helps you to use GCE Ingresses to create external load balancers with Google-managed SSL certificates.

Google-managed SSL certificates are provisioned, renewed, and managed for your domain names.

Create a static ip address:

gcloud compute addresses create web-service --global

Setting up two managed certificates for one.example.com and two.example.com:


apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: example-one
spec:
  domains:
    - one.example.com


apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: example-two
spec:
  domains:
    - two.example.com

Run kubectl apply command for the above manifests:

Create a NodePort Service to expose your web application to the Internet.

The following is an example Service manifest file:


apiVersion: v1
kind: Service
metadata:
  name: example-one
  labels:
    app: example-one
spec:
  type: NodePort
  selector:
    app: example-one
  ports:
  - name: example-one-port
    port: 80
    nodePort: 40110
    targetPort: 80
    protocol: TCP


apiVersion: v1
kind: Service
metadata:
  name: example-two
  labels:
    app: example-two
spec:
  type: NodePort
  selector:
    app: example-two
  ports:
  - name: example-two-port
    port: 8080
    nodePort: 41110
    targetPort: 8080
    protocol: TCP

Create the above Services with the kubectl create command.

Create an Ingress, linking it to the ManagedCertificate you created previously.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: gce
    kubernetes.io/ingress.global-static-ip-name: web-service
    networking.gke.io/managed-certificates: example-one,example-two
spec:
  rules:
  - host: one.example.com
    http:
      paths:
      - backend:
          serviceName: example-one
          servicePort: example-one-port
  - host: two.example.com
    http:
      paths:
      - backend:
          serviceName: example-two
          servicePort: example-two-port

Create the above Ingress with the kubectl create command.

Look up the IP address of the load balancer created in the previous step. Use the following command to get the IP address of the load balancer:

kubectl get ingress

Configure the DNS records for your domain to point to the IP address of the load balancer.

Google-managed certificates are issued by one of two certificate authorities (CAs), letsencrypt.org and pki.goog. You must create a Certification Authority Authorization (CAA) DNS record to specify which CAs are allowed to sign your Google-managed certificate. If you specify both CAs, Google Cloud selects one of them and uses it to sign your certificate. When your certificate is renewed, it might be signed by a different CA. If you specify just one CA, that CA is used to create and renew your certificate:


one.example.com CAA 0 issue "pki.goog"

two.example.com CAA 0 issue "pki.goog"


Google-managed SSL certificate status check:


gcloud beta compute ssl-certificates list --global --format="get(name,managed.status, managed.domainStatus)"