Using your own TLS certificates

This page describes how to set up Cloud Run for Anthos on Google Cloud to use your own SSL/TLS certificate, for those cases where you don't want to use the managed TLS certificates feature.

Istio Ingress Gateway can support the TLS protocol provided from your certificate after you store your certificate into a Kubernetes Secret and specify it in the Istio Ingress Gateway spec.

Before you begin

These instructions assume that you already have your own TLS certificates.

Storing TLS certificate/private key into a Kubernetes Secret

To store the certificates into a Secret:

  1. Copy the certificates into your current directory.

  2. Use the following command to create a Secret that stores the certificates, where privkey.pem contains your certificate private key and fullchain.pem contains the public certificate:

    kubectl create --namespace gke-system secret tls SECRET_NAME \
      --key privkey.pem \
      --cert fullchain.pem
    

Specifying your TLS certificate to Istio Ingress Gateway

Modify the Istio Ingress Gateway spec to use the Kubernetes Secret containing your TLS certificate:

  1. Open the shared gateway spec for editing:

    kubectl edit gateway gke-system-gateway --namespace knative-serving
  2. Specify your TLS certificate using the secret you created earlier, by adding the following section to your gateway spec:

    - hosts:
      - "*"
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: SECRET_NAME
    

    Your gateway spec should look like the following:

    apiVersion: networking.istio.io/v1alpha3
    kind: Gateway
    metadata:
    # ... skipped ...
    spec:
      selector:
        istio: ingressgateway
      servers:
        - hosts:
          - "*"
          port:
            name: http
            number: 80
            protocol: HTTP
        - hosts:
          - "*"
          port:
            name: https
            number: 443
            protocol: HTTPS
          tls:
            mode: SIMPLE
            credentialName: SECRET_NAME
    

    If you're adding multiple TLS certificates for two different services in different namespaces, your gateway spec could look like:

    apiVersion: networking.istio.io/v1alpha3
    kind: Gateway
    metadata:
    # ... skipped ...
    spec:
      selector:
        istio: ingressgateway
      servers:
      - hosts:
        - "*"
        port:
          name: http
          number: 80
          protocol: HTTP
      - port:
          number: 443
          name: https-SERVICE1_NAME
          protocol: HTTPS
        tls:
          mode: SIMPLE
          credentialName: SECRET1_NAME
        hosts:
        - SERVICE1_NAME.NAMESPACE1.example.com
      - port:
          number: 443
          name: https-SERVICE2_NAME
          protocol: HTTPS
        tls:
          mode: SIMPLE
          credentialName: SECRET2_NAME
        hosts:
        - SERVICE2_NAME.NAMESPACE2.example.com
    
  3. Save your changes.

After this change, you can use the HTTPS protocol to access your deployed services.