How to use ManagedCertificate in namespaced Ingress

Dzmitry Lazerka

5/29/23, 9:56 AM

I tried to use Google Managed Certificate (not through k8s) in Ingress.

If Ingress is in default namespace, everything works fine using ingress.gcp.kubernetes.io/pre-shared-cert: my-cert-name annotation.

However, if Ingress is in a namespace, it looks for a certificate named my-namespace/my-cert-name. But it's impossible to create a certificate with / in its name.

Using GKE k8s ManagedCertificate everything works fine. How to make it work with a non-k8s ManagedCertificate?

UPDATE: we use Terraform to manage SSL certificates, using google_compute_managed_ssl_certificate resource. We used GKE with Ingress, and tried to use that certificate with it. If Ingress is in default namespace -- everything works fine. If Ingress is in some other namespace -- it's impossible to use that certificate, because Ingress looks for certificate named namespacename/certname instead of certname.

224

0 + 0

google-cloud-platform

google-kubernetes-engine

Sergiusz

5/31/23, 8:40 AM

Have you followed instructions listed [here](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs#gcloud)?

Dzmitry Lazerka

6/1/23, 9:09 AM

@Sergiusz it describes GKE (k8s) managed certificate. I'm asking about non-k8s google-managed certificate (we don't use Ingress). Like here: https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs

Sergiusz

6/1/23, 11:38 AM

Can you clarify your question? Do you use ingress or not?

Dzmitry Lazerka

6/7/23, 10:52 AM

@Sergiusz Sure, sorry. I meant we don't use k8s to manage SSL certificates. We were trying to use namespaced Ingress with them. It seems like if we use Ingress, we can only use K8S-managed certificates, not Google-managed.

Sergiusz

6/9/23, 10:53 AM

Can you edit your question with more in-depth description of your setup? Which services are you using and what kind of solution you want to implement.

Dzmitry Lazerka

6/9/23, 11:40 AM

Sure, done, see UPDATE

Score:2

Server

Sergiusz

6/10/23, 7:53 AM

This has been suggested, but is currently not supported, you can see the progress here.
It is possible to sync secrets across namespaces using cert-manager but this only works for wildcard certificates.
You would have to move the ingress into the default namespace or use a different certificate provider.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to use ManagedCertificate in namespaced Ingress

TH: วิธีใช้ ManagedCertificate ใน Ingress แบบเนมสเปซ

RO: Cum să utilizați ManagedCertificate în Ingress cu spațiu de nume

RU: Как использовать ManagedCertificate в Ingress с пространством имен

VI: Cách sử dụng ManagedCertificate trong Ingress không gian tên

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.