This page describes how to configure Cloud Run on GKE to use your SSL/TLS certificate for your domain to enable HTTPS connections.
Before you begin
These instructions assume that you already completed mapping your Cloud Run on GKE service to use your custom domain.
Obtaining an SSL/TLS certificate using
If you already have the SSL/TLS certificates you need, skip these instructions.
If you don't have an existing SSL/TLS certificate, you can use the
certbot to obtain a certificate manually:
wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto ./certbot-auto --help
Use the certbot to request a certificate, using DNS validation. The certbot tool walks you through validating your domain ownership by creating TXT records in your domain:
./certbot-auto certonly --manual --preferred-challenges dns -d '*.default.yourdomain.com'
After certbot completes, you have two output files,
fullchain.pem. These files are used when you import a TLS certificate/private key into a Kubernetes Secret.
Importing TLS certificate/private key into a Kubernetes Secret
To import the certificates into a Secret:
Copy the certificates into your current directory.
Use the following command to create a Secret that stores the certificates:
kubectl create --namespace istio-system secret tls istio-ingressgateway-certs \ --key privkey.pem \ --cert fullchain.pem
privkey.pemcontains your certificate private key
fullchain.pemcontains the public certificate
You must use
istio-ingressgateway-certsas the Secret name, as shown in the example.
Configuring the gateway
You must configure the
knative-ingress-gateway gateway spec to use the new
secret that contains the certificate.
To configure the gateway:
Open the shared gateway spec for editing:
kubectl edit gateway knative-ingress-gateway --namespace knative-serving
Change the gateway spec to include the
tls:section as shown below:
# Edit the object below. Lines beginning with a # will be ignored. # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: # ... skipped ... spec: selector: knative: ingressgateway servers: - hosts: - "*" port: name: http number: 80 protocol: HTTP - hosts: - "*" port: name: https number: 443 protocol: HTTPS tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
Save your changes.
After this change, you can use the HTTPS protocol to access your deployed services.