This is the Archived version of the documentation. The free trial period ended on Sept. 30, 2021.

See the GA version documentation for details about installing Cloud Run for Anthos as an Anthos fleet component with Anthos Service Mesh.

Available versions

Latest
Archive

Using your own TLS certificates

This page describes how to set up Cloud Run for Anthos to use your own SSL/TLS certificate, for those cases where you don't want to use the managed TLS certificates feature.

Istio Ingress Gateway can support the TLS protocol provided from your certificate after you store your certificate into a Kubernetes Secret and specify it in the Istio Ingress Gateway spec.

Before you begin

These instructions assume that you already have your own TLS certificates.

Storing TLS certificate/private key into a Kubernetes Secret

To store the certificates into a Secret:

Copy the certificates into your current directory.
Use the following command to create a Secret that stores the certificates, where privkey.pem contains your certificate private key and fullchain.pem contains the public certificate:
```
kubectl create --namespace gke-system secret tls SECRET_NAME \
  --key privkey.pem \
  --cert fullchain.pem
```

Specifying your TLS certificate to Istio Ingress Gateway

Modify the Istio Ingress Gateway spec to use the Kubernetes Secret containing your TLS certificate:

Open the shared gateway spec for editing:

kubectl edit gateway gke-system-gateway --namespace knative-serving

Specify your TLS certificate using the secret you created earlier, by adding the following section to your gateway spec:

- hosts:
  - "*"
  port:
    name: https
    number: 443
    protocol: HTTPS
  tls:
    mode: SIMPLE
    credentialName: SECRET_NAME

Your gateway spec should look like the following:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
# ... skipped ...
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
      - "*"
      port:
        name: http
        number: 80
        protocol: HTTP
    - hosts:
      - "*"
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: SECRET_NAME

If you're adding multiple TLS certificates for two different services in different namespaces, your gateway spec could look like:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
# ... skipped ...
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - "*"
    port:
      name: http
      number: 80
      protocol: HTTP
  - port:
      number: 443
      name: https-SERVICE1_NAME
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: SECRET1_NAME
    hosts:
    - SERVICE1_NAME.NAMESPACE1.example.com
  - port:
      number: 443
      name: https-SERVICE2_NAME
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: SECRET2_NAME
    hosts:
    - SERVICE2_NAME.NAMESPACE2.example.com

Save your changes.

After this change, you can use the HTTPS protocol to access your deployed services.