Skip to content

Google Managed Certificates

Overview

When deploying application in Google Cloud Platform, it is often necessary to secure the application with a TLS certificate. Google Cloud Platform provides a service called Google Managed Certificates that can be used to create and manage TLS certificates for applications running on Google Cloud Platform.

Using a Google managed certificate can be a convenient way to secure a website hosted on Google Cloud Platform. This tutorial will walk you through the steps to create a Google managed certificate and apply it to a load balancer.

Prerequisites

Google Cloud Load Balancer

This tutorial assumes that you are deploying your application behind Google Cloud Load Balancer. This can be either for use with a GKE cluster, or a standalone deployment in something like Cloud Storage or Cloud Run.

IP Address and Domain Names

To create a Google managed certificate, you will need to have a static IP address attached to your load balancer, and you will need to have IT map a domain name to your IP address.

You can either use an existing IP address, or you can create a new one. If you need to create a new IP address, you can use the following command:

gcloud compute addresses create myproject-jax-org --global

Once you have a static IP address and a domain name mapped to that IP address, you can create a Google managed certificate.

Creating a Google Managed Certificate

To create a Google managed certificate, you can use one of the Console Web UI, the gcloud command line tool, or the kubectl command line tool with GKE when GCP Config Connector is enabled.

For an Existing Load Balancer Separate from GKE

Using the Console Web UI

  1. Navigate to the Google Cloud Console.
  2. Select the project that you want to create the certificate in.
  3. Navigate to the Network Services page.
  4. Select the load balancer that you want to create the certificate for.
  5. Click the Edit button.
  6. Click the Frontend configuration tab.

  7. Select the frontend that you want to create the certificate for. The frontend should look like a box with text similar to Protocol: HTTPS, IP: 34.107.136.155, Port: 443 with a trash icon and a caret dropdown icon on the right side.

    Warning

    If you have not already created a frontend, you will need to create one. The frontend should be configured to use HTTPS, have a static IP address, and have a domain name mapped to the static IP address.

  8. Click the Certificate dropdown.

    1. If the load balancer already has a certificate, you can click the "Additional certificates" button, then the "+ Add Certificate" button to add a new certificate.
  9. If you already have a Google Managed Certificate you want to use, you can select it from the dropdown and skip steps 10 through 13. Otherwise, click the Create a new certificate button.
  10. Enter a name for the certificate. Make sure that the name is descriptive enough that you will be able to identify it later. It is also best practice to include a two digit increment number at the end of the name. For example, if you are creating a certificate for myproject on the jax.org domain, you would name it myproject-jax-org-01.
  11. Under "Create Mode" select "Create Google-managed certificate".
  12. For each domain that you need to support, add an item in the "Domains" section. For example: you might add myproject.jax.org, myproject-staging.jax.org, myproject-sqa.jax.org and myproject-dev.jax.org each as a domain.
  13. Click the Create button. The sidebar will close, and you will see the new certificate selected in the dropdown.
  14. Click the Done button at the bottom of the Frontend Configuration box. This will close the Frontend Configuration box.
  15. Click the Update button at the bottom left of the page to apply your changes to the load balancer.

Using the gcloud Command Line Tool

Coming Soon

For an Ingress Load Balancer through GKE

If you are using GKE, you can use the kubectl command line tool with GCP Config Connector enabled to create a Google managed certificate. This will create a Google managed certificate resource in GCP that can be used by a GCE Ingress resource in GKE.

Using the kubectl with GCP Config Connector

For each domain you want to include in the certificate, you will need to already have DNS mapped to the static IP address used by your load balancer. You will need to create a separate certificate for each load balancer you have.

Example

For example, if you have a load balancer for your sqa environment, you will need to create a certificate for that load balancer. If you also have a load balancer for your dev environment, you will need to create a load balancer for that too! If you follow the "standard four" environment pattern, you will need to create (at least) four certificates.

  1. Create a yaml file that holds the definition of you ManagedCertificate. For example, in the SIP/GeDI/MPD ecosystem we created the following file for the sqa ingress:
    managed-cert-sqa.yaml
    apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: managed-cert-sqa-02
spec:
  domains:
    - divdb-sqa.jax.org
    - studyintake-sqa.jax.org
    - phenome-sqa.jax.org
    - mpd-sqa.jax.org
  2. Create the ManagedCertificate resource using the kubectl command line tool: 
    kubectl apply -n $NAMESPACE -f managed-cert-sqa.yaml

  3. Create (or update) an Ingress resource that uses the ManagedCertificate resource. For example, in the SIP/GeDI/MPD ecosystem we created the following file for the sqa ingress.

    Since we already had an Ingress resource, we first added the new lines (highlighted) to the existing Ingress resource, without removing the existing self-managed certificates (the items in the tls section).

    ingress-sqa.yaml
    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: ingress-sqa-01
 annotations:
   kubernetes.io/ingress.global-static-ip-name: ingress-ip-sqa-01
   kubernetes.io/force-ssl-redirect: "true"
   networking.gke.io/managed-certificates: managed-cert-sqa-02
   kubernetes.io/ingress.class: "gce"
spec:
 tls:
 - secretName: divdb-tls
 - secretName: sip-tls
 - secretName: phenome-tls
 - secretName: mpd-tls
 rules:
 - host: divdb-sqa.jax.org
   ...
 - host: studyintake-sqa.jax.org
   ...
 - host: phenome-sqa.jax.org
   ...
 - host: mpd-sqa.jax.org
   ...

    After adding the highlighted lines, we updated the resource using the kubectl command line tool:

    kubectl apply -n $NAMESPACE -f ingress-sqa.yaml

  4. Once you have created the ManagedCertificate resource and updated the Ingress resource, you can verify that the certificate is active by running the following command:

     kubectl describe managedcertificate -n sqa managed-cert-sqa-02

    If you run this command, you should see Certificate Status: Active as well as Status: Active for each domain you included in the certificate. 

    kubectl describe managedcertificate -n sqa managed-cert-sqa-02 | grep Active

  5. If you were updating from a self-managed certificate, when the Google certificate is active, you can delete the self-managed certificate from the ingress definition:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: ingress-sqa-01
 annotations:
   kubernetes.io/ingress.global-static-ip-name: ingress-ip-sqa-01
   kubernetes.io/force-ssl-redirect: "true"
   networking.gke.io/managed-certificates: managed-cert-sqa-02
   kubernetes.io/ingress.class: "gce"
spec:
 rules:
 - host: divdb-sqa.jax.org
   ...
 - host: studyintake-sqa.jax.org
   ...
 - host: phenome-sqa.jax.org
   ...
 - host: mpd-sqa.jax.org
   ...

    Warning

    If you delete the self-managed certificate before the Google managed certificate is active, you will have downtime for your application.

    After removing the tls settings, we again updated the resource using the kubectl command line tool:

    kubectl apply -n $NAMESPACE -f ingress-sqa.yaml