Menu
Article

Letsencrypt on GKE with multiple domains

Viktor Hedefalk

Viktor Hedefalk

• 2 min read

I've been using LetEncrypt on GKE via cert-manager based on this tutorial

https://github.com/ahmetb/gke-letsencrypt/

I've had some issues though that the Ingress for some reason stops serving my apps at times because of this cert-manager. I never really figured it out, but sometimes stuff just breaks and I'm sure its due to cert-manager because when I take that out of the equation everything works fine.

So I had to remove it a few weeks back to have my sites up again, and now the bell rang that it was time to renew the certs because of this.

And I just saw now that there's native support for LetsEncrypt in GKE's Ingress.

This is the docs I'm using https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs and I think they were basically fine, but I was a bit unsure about the multiple domains part. I didn't really understand if I was going to be able to have multiple domains on the same Ingress/IP. The instructions say they can't use wildcard, nor SAN's. Wildcard I don't think LetsEncrypt support, but I've used SAN's before. Anyway, it turned out to work fine with just a bunch of single domain certs on the same Ingress.

Do the instructions say you need a single domain in the spec for ManagedCertificate so I instead create a bunch of them like this:

apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: kostbevakningen.se-certificate
spec:
  domains:
    - kostbevakningen.se
----
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: dark.kostbevakningen.se-certificate
spec:
  domains:
    - dark.kostbevakningen.se
----
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: beta.kostbevakningen.se-certificate
spec:
  domains:
    - beta.kostbevakningen.se
----
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: admin.kostbevakningen.se-certificate
spec:
  domains:
    - admin.kostbevakningen.se

Then I can just list them in a comma-separated list in the Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kb-front-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "kostbevakningen-se"
    networking.gke.io/managed-certificates: kostbevakningen.se-certificate,beta.kostbevakningen.se-certificate,dark.kostbevakningen.se-certificate,admin.kostbevakningen.se-certificate
spec:
  rules:
    - host: kostbevakningen.se
      http:
        paths:
        - backend:
            serviceName:  kb-front-service
            servicePort: 5002
    - host: beta.kostbevakningen.se
      http:
        paths:
        - backend:
            serviceName:  kb-front-service
            servicePort: 5002
    - host: dark.kostbevakningen.se
      http:
        paths:
        - backend:
            serviceName:  kb-front-service
            servicePort: 5002

And that's basically it. Just `kubectl apply -f` these files, wait a few minutes and good green cert from LetsEncrypt (which by the way Google doesn't even mention :)

Way simpler than what I had before!

Share