TL;DR Link to heading I had a Kubernetes service exposed via two different gateway flavours on different clusters. Two of them used an istio Gateway with TLS terminated in-pod, where cert-manager handed it a wildcard cert via a regular Secret. The third used a GKE-managed Gateway (gatewayClassName: gke-l7-global-external-managed), where TLS terminates at a Google Cloud Load Balancer that does not read Kubernetes Secrets. For that one I had to use Google Certificate Manager with a DNS-01 authorisation, then point the Gateway at the resulting cert map via a networking.gke.io/certmap annotation. cert-manager does not fit this path.
No comments yet. Log in to reply on the Fediverse. Comments will appear here.