Enabling HTTPS on a Cloud Run on GKE cluster

This page describes how to configure Cloud Run on GKE to use your SSL/TLS certificate for your domain to enable HTTPS connections.

Before you begin

These instructions assume that you already completed mapping your Cloud Run on GKE service to use your custom domain.

Obtaining an SSL/TLS certificate using Let's Encrypt

If you already have the SSL/TLS certificates you need, skip these instructions.

If you don't have an existing SSL/TLS certificate, you can use the Let's Encrypt certbot to obtain a certificate manually:

  1. Install the certbot-auto script from the Certbot website on your local machine or in a Cloud Shell machine in your project :

    wget https://dl.eff.org/certbot-auto
    chmod a+x ./certbot-auto
    ./certbot-auto --help
  2. Use the certbot to request a certificate, using DNS validation. The certbot tool walks you through validating your domain ownership by creating TXT records in your domain:

    ./certbot-auto certonly --manual --preferred-challenges dns -d '*.default.yourdomain.com'
  3. After certbot completes, you have two output files, privkey.pem and fullchain.pem. These files are used when you import a TLS certificate/private key into a Kubernetes Secret.

Importing TLS certificate/private key into a Kubernetes Secret

To import the certificates into a Secret:

  1. Copy the certificates into your current directory.

  2. Use the following command to create a Secret that stores the certificates:

    kubectl create --namespace istio-system secret tls istio-ingressgateway-certs \
    --key privkey.pem \
    --cert fullchain.pem
    

    Where

    • privkey.pem contains your certificate private key
    • fullchain.pem contains the public certificate

    You must use istio-ingressgateway-certs as the Secret name, as shown in the example.

Configuring the gateway

You must configure the knative-ingress-gateway gateway spec to use the new secret that contains the certificate.

To configure the gateway:

  1. Open the shared gateway spec for editing:

    kubectl edit gateway knative-ingress-gateway --namespace knative-serving
  2. Change the gateway spec to include the tls: section as shown below:

    # Edit the object below. Lines beginning with a # will be ignored.
    # and an empty file will abort the edit. If an error occurs while saving this file will be
    # reopened with the relevant failures.
    apiVersion: networking.istio.io/v1alpha3
    kind: Gateway
    metadata:
    # ... skipped ...
    spec:
    selector:
    knative: ingressgateway
    servers:
    - hosts:
        - "*"
      port:
        name: http
        number: 80
        protocol: HTTP
    - hosts:
        - "*"
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        mode: SIMPLE
        privateKey: /etc/istio/ingressgateway-certs/tls.key
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
    
  3. Save your changes.

After this change, you can use the HTTPS protocol to access your deployed services.

Kunde den här sidan hjälpa dig? Berätta:

Skicka feedback om ...

Cloud Run Documentation