This page describes how to configure Cloud Run for Anthos on Google Cloud to use your SSL/TLS certificate for your domain to enable HTTPS connections.
Before you begin
These instructions assume that you already completed mapping your Cloud Run for Anthos on Google Cloud service to use your custom domain.
Obtaining an SSL/TLS certificate using
If you already have the SSL/TLS certificates you need, skip these instructions.
If you don't have an existing SSL/TLS certificate, you can use the
certbot to obtain a certificate manually:
wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto ./certbot-auto --help
Use the certbot to request a certificate, using DNS validation. The certbot tool walks you through validating your domain ownership by creating TXT records in your domain:
./certbot-auto certonly --manual --preferred-challenges dns -d '*.default.yourdomain.com'
After certbot completes, you have two output files,
fullchain.pem. These files are used when you import a TLS certificate/private key into a Kubernetes Secret.
Importing TLS certificate/private key into a Kubernetes Secret
To import the certificates into a Secret:
Copy the certificates into your current directory.
Use the following command to create a Secret that stores the certificates, where
privkey.pemcontains your certificate private key and
fullchain.pemcontains the public certificate"
kubectl create --namespace NAMESPACE secret tls ISTIO-GATEWAY-certs \ --key privkey.pem \ --cert fullchain.pemReplace ISTIO-GATEWAY and NAMESPACE as follows:
Cluster version ISTIO-GATEWAY NAMESPACE
All other versions
You must use
ISTIO-GATEWAY-certsas the Secret name, as shown in the example.
Configuring the gateway
You must configure the ingress gateway spec to use the new secret that contains the certificate.
To configure the gateway:
Open the shared gateway spec for editing:
kubectl edit gateway GATEWAY --namespace knative-servingReplace GATEWAY as follows:
Cluster version GATEWAY
All other versions
Change the gateway spec to include the
tls:section as shown below:
# Edit the object below. Lines beginning with a # will be ignored. # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: # ... skipped ... spec: selector: istio: ingressgateway servers: - hosts: - "*" port: name: http number: 80 protocol: HTTP - hosts: - "*" port: name: https number: 443 protocol: HTTPS tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
Save your changes.
After this change, you can use the HTTPS protocol to access your deployed services.