Enabling HTTPS and automatic TLS certificates

This page shows how to turn on the automatic TLS certificates feature so it automatically provides TLS certificates and enables HTTPS connections using those TLS certificates. Note that the automatic TLS feature is turned off by default for Cloud Run for Anthos on Google Cloud.

This page does not apply to Cloud Run (fully managed), which has the automatic TLS certificates ability built-in.

If you experience issues setting up or using this feature, refer to the automatic TLS troubleshooting page.


The following considerations apply to the use of the automatic TLS feature:

  • This feature is not supported for GKE private clusters.
  • To use the automatic TLS feature, your service must be exposed externally: it cannot be a cluster-local service.
  • The automatic TLS feature only works with Istio as automatically installed when you set up your cluster for Cloud Run: it does not work with the Istio addon. If you need to use the Istio addon, you may need to use your own TLS certificates.
  • This feature uses LetsEncrypt, which has an initial quota limit of 50 TLS certificates per week per registered domain. You can ask for a quota increase by following the LetsEncrypt documentation.

Before you begin

The instructions on this page assume the following:

Supported cluster versions

The following cluster versions and greater support the auto TLS feature:

  • 1.15.7-gke.23
  • 1.14.10-gke.17
  • 1.14.9-gke.23
  • 1.14.8-gke.33

To determine what your current cluster version is:

  1. Visit the Google Kubernetes Engine page in the Cloud Console:

    Go to Google Kubernetes Engine

  2. Click on the cluster to open its detail page.

  3. Locate the cluster version next to the label Master version.

Enabling automatic TLS certificates and HTTPS

To enable auto TLS:

  1. If you haven't already done so, create a domain mapping for your service and update your DNS record accordingly following the instructions at the domains mapping page.

  2. Turn on auto TLS certificates and HTTPS by updating the ConfigMap config-domainmapping:

    kubectl patch cm config-domainmapping -n knative-serving -p '{"data":{"autoTLS":"Enabled"}}'
  3. Wait for a few minutes after the command succeeds, then make sure the certificates feature is working:

    kubectl get kcert

    If the certificate is ready, you should see a message similar to this one:

    NAME              READY   REASON
    example.com       True

    It may take from 20 seconds to 2 minutes for the Kcert to become ready. If you experience any issues, see the troubleshooting instructions for this feature.

Verifying success

  1. Verify that the DNS record has gone into effect by running the command:

    gcloud run domain-mappings describe --domain=DOMAIN

    Replace DOMAIN with your own domain name, for example: host example.com

  2. Check the url: field in the return from the above command: the URL should have https, not http.

  3. Check the IP address from the above command, listed under resourceRecords:rrdata, and compare it to the value you see when you execute the command host DOMAIN. They should be the same.

Disabling automatic TLS for a specific domain mapping

You can turn off auto TLS for a specific domain mapping:

  1. Add the annotation domains.cloudrun.com/disableAutoTLS: "true"`:

    kubectl annotate domainmappings DOMAIN domains.cloudrun.com/disableAutoTLS=true
  2. Verify that HTTPS does not work:

    curl https://DOMAIN

  3. Verify that HTTP is being used for the service:

    gcloud run domain-mappings describe --domain=DOMAIN

    Replace DOMAIN with your own domain name, for example: host example.com

    Check the url: field in the return from the above command: the URL should have http, not https.

What's next

  • Troubleshooting auto TLS for details on checking domain mappings, certificate quotas, order status and order timeouts, and authorization failures.
  • Bring your own TLS certificates for instructions on using your own TLS certificates instead of the automatic TLS certificates.