{"id":15221948,"url":"https://github.com/googlecloudplatform/gke-managed-certs","last_synced_at":"2025-10-23T02:32:00.601Z","repository":{"id":53724098,"uuid":"146440898","full_name":"GoogleCloudPlatform/gke-managed-certs","owner":"GoogleCloudPlatform","description":"Managed Certificates for Kubernetes clusters using GCLB","archived":false,"fork":false,"pushed_at":"2025-04-16T19:49:32.000Z","size":68820,"stargazers_count":246,"open_issues_count":14,"forks_count":31,"subscribers_count":35,"default_branch":"master","last_synced_at":"2025-05-16T06:04:24.523Z","etag":null,"topics":["certificate","gce","gclb","gke","ingress","kubernetes","managed","ssl-certificate","tls","tls-certificate"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoogleCloudPlatform.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-28T11:59:49.000Z","updated_at":"2024-09-17T23:38:39.000Z","dependencies_parsed_at":"2024-01-16T17:50:12.584Z","dependency_job_id":"a6e9e328-9b80-4df9-b8ca-6ea6c2143e26","html_url":"https://github.com/GoogleCloudPlatform/gke-managed-certs","commit_stats":null,"previous_names":[],"tags_count":34,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgke-managed-certs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgke-managed-certs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgke-managed-certs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgke-managed-certs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoogleCloudPlatform","download_url":"https://codeload.github.com/GoogleCloudPlatform/gke-managed-certs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254478186,"owners_count":22077675,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","gce","gclb","gke","ingress","kubernetes","managed","ssl-certificate","tls","tls-certificate"],"created_at":"2024-09-28T15:09:07.737Z","updated_at":"2025-10-23T02:32:00.494Z","avatar_url":"https://github.com/GoogleCloudPlatform.png","language":"Go","readme":"# Managed Certificates\n\nManaged Certificates simplify user flow in managing HTTPS traffic.\nInstead of manually acquiring an SSL certificate from a Certificate\nAuthority, configuring it on the load balancer and renewing it on time,\nnow it is only necessary to create a Managed Certificate\n[Custom Resource object](https://kubernetes.io/docs/concepts/api-extension/custom-resources/)\nand provide the domains for which you want to obtain a certificate.\nThe certificate will be auto-renewed when necessary.\n\nFor that to work you need to run your cluster on a platform with\n[Google Cloud Load Balancer](https://github.com/kubernetes/ingress-gce),\nthat is a cluster in GKE or your own cluster in GCP.\n\nIn GKE all the components are already installed.\nFollow the [how-to](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs)\nfor more information. For a GCP setup follow the instructions below.\n\nThis feature status is GA.\n\n# Installation\n\nManaged Certificates consist of two parts:\n* managed-certificate-controller which uses GCP Compute API to manage\n certificates securing your traffic,\n* Managed Certificate CRD which is needed to tell the controller what\n domains you want to secure.\n\n## Limitations\n\n* Managed Certificates support multi-SAN non-wildcard certificates.\n* Managed Certificates are compatible only with [GKE Ingress](https://github.com/kubernetes/ingress-gce).\n* A single ManagedCertificate supports up to 100 domain names.\n* A single Ingress supports up to 15 certificates, and all types of certificates\n count towards the limit.\n* A GCP project supports up to\n [ssl_certificates](https://cloud.google.com/load-balancing/docs/quotas#ssl_certificates)\n quota of certificates.\n\n## Prerequisites\n\n1. You need to use a Kubernetes cluster with GKE-Ingress v1.5.1+.\n * Managed Certificates have been tested against Kubernetes v1.19.0.\n * Kubernetes v1.15+ most likely will work as well.\n * Kubernetes v1.13-v1.15 most likely will work if you enable the\n [CustomResourceWebhookConversion feature](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definition-versioning/),\n otherwise Managed Certificate CRD validation will not work properly.\n1. You need to grant permissions to the controller so that it is allowed to use\n the GCP Compute API.\n * When creating the cluster, add scope *compute-rw* to the node where you will\n run the pod with managed-certificate-controller.\n * Alternatively:\n * [Create](https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes#service_account)\n a dedicated service account with minimal roles.\n ```console\n export NODE_SA_NAME=mcrt-controller-sa\n gcloud iam service-accounts create $NODE_SA_NAME --display-name \"managed-certificate-controller service account\"\n export NODE_SA_EMAIL=`gcloud iam service-accounts list --format='value(email)' \\\n --filter='displayName:managed-certificate-controller'`\n\n export PROJECT=`gcloud config get-value project`\n gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/monitoring.metricWriter\n gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/monitoring.viewer\n gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/logging.logWriter\n ```\n * [Grant](https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes#additional_roles)\n additional role *roles/compute.loadBalancerAdmin* to your service\n account.\n ```console\n gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/compute.loadBalancerAdmin\n ```\n * [Export](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys)\n a service account key to a JSON file.\n ```console\n gcloud iam service-accounts keys create ./key.json --iam-account $NODE_SA_EMAIL\n ```\n * Create a Kubernetes Secret that holds the service account key stored\n in key.json.\n ```console\n kubectl create secret generic sa-key --from-file=./key.json\n ```\n * Mount the sa-key secret to managed-certificate-controller pod. In file deploy/managed-certificate-controller.yaml add:\n * Above section *volumeMounts*\n ```\n env:\n - name: GOOGLE_APPLICATION_CREDENTIALS\n value: \"/etc/gcp/key.json\"\n ```\n * In section *volumeMounts*\n ```\n - name: sa-key-volume\n mountPath: /etc/gcp\n readOnly: true\n ```\n * In section *volumes*\n ```\n - name: sa-key-volume\n secret:\n secretName: sa-key\n items:\n - key: key.json\n path: key.json\n ```\n1. Configure your domain example.com so that it points at the load balancer\ncreated for your cluster by Ingress. If you add a CAA record to restrict the CAs that are allowed\nto provision certificates for your domain, note that Managed Certificates currently support:\n * [Google Trust Services](http://pki.goog),\n * Let's Encrypt.\nIn the future additional CAs may be available and a CAA record may make it impossible\nfor you to take advantage of them.\n\n## Steps\n\nTo install Managed Certificates in your own cluster in GCP, you need to:\n\n1. Deploy the Managed Certificate CRD\n ```console\n $ kubectl create -f deploy/managedcertificates-crd.yaml\n ```\n1. Deploy the managed-certificate-controller\n You may want to build your own managed-certificate-controller image and\n reference it in the deploy/managed-certificate-controller.yaml file. The default\n image is periodically built by a CI system and may not be stable. Alternatively\n you may use `gcr.io/gke-release/managed-certificate-controller:v1.2.11`\n which is deployed in GKE, however this README likely will not be kept up to date with\n future GKE updates, and so this image may become stale.\n ```console\n $ kubectl create -f deploy/managed-certificate-controller.yaml\n ```\n\n# Usage\n\n1. Create a Managed Certificate custom object, specifying up to 100 non-wildcard domains\nnot longer than 63 characters each, for which you want to obtain a certificate:\n ```yaml\n apiVersion: networking.gke.io/v1\n kind: ManagedCertificate\n metadata:\n name: example-certificate\n spec:\n domains:\n - example1.com\n - example2.com\n ```\n2. Configure Ingress to use this custom object to terminate SSL connections:\n ```console\n $ kubectl annotate ingress [your-ingress-name] networking.gke.io/managed-certificates=example-certificate\n ```\nIf you need, you can specify multiple managed certificates here,\nseparating their names with commas.\n\n# Clean up\n\nYou can do the below steps in any order to turn SSL off:\n\n* Remove annotation from Ingress\n ```console\n $ kubectl annotate ingress [your-ingress-name] networking.gke.io/managed-certificates-\n ```\n (note the minus sign at the end of annotation name)\n* Tear down the controller\n ```console\n $ kubectl delete -f deploy/managed-certificate-controller.yaml\n ```\n* Tear down the Managed Certificate CRD\n ```console\n $ kubectl delete -f deploy/managedcertificates-crd.yaml\n ```\n\n# Troubleshooting\n\n1. Check Kubernetes events attached to ManagedCertificate and Ingress resources\n for information on temporary failures.\n\n2. Use the same ManagedCertificate resource at every endpoint to which your domain resolves to.\n\n A real life example is when your example.com domain points at two IP\n addresses, one for IPv4 and one for IPv6. You [deploy two Ingress objects](https://github.com/kubernetes/ingress-gce/issues/87)\n to handle IPv4 and IPv6 traffic separately. If you create\n two separate ManagedCertificate resources and attach each of them to one of\n the Ingresses, one of the ManagedCertificate resources may not be\n provisioned. The reason is that the Certificate Authority is free to verify\n challenges on any of the IP addresses the domain resolves to.\n\n3. Managed Certificates communicate with GKE Ingress using annotation\n kubernetes.io/pre-shared-cert. Problems may arise for instance if you:\n\n * forcibly keep clearing this annotation,\n * store a snapshot of Ingress, tear it down and restore Ingress from the\n snapshot. In the meantime an SslCertificate resource listed in the\n pre-shared-cert annotation may not be available any more. Ingress has\n all-or-nothing semantics and will not work if a certificate it references\n is missing.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fgke-managed-certs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgooglecloudplatform%2Fgke-managed-certs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fgke-managed-certs/lists"}