Adding certificate to internal load balancer in GCP

Question

I have tried a lot to look for a solution, but I am not able to find one. I Have my root domain in AWS example.com, we are on hybrid cloud. We have service running in GKE. now we have setup VPN and we want to access website over the VPN which we have done. Now all the internal load balancer that we have can be accessed over internal load balancer using HTTP via VPN. Now we want to add certificate on top of the internal Loadbalancer, GCP managed or tls

here is my ingress which create my LB but certificate is not seems to be not valid and challenge is not resolving. what are the way that I can use to add certificate to the internal loadbalancer ?

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.regional-static-ip-name: something-internal
    cert-manager.io/cluster-issuer: "letsencrypt"
    kubernetes.io/tls-acme: "true"
    acme.cert-manager.io/http01-edit-in-place: "true"
  labels:
    app.kubernetes.io/instance: name
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: name
    helm.sh/chart: something-0.27.0
  name: something-internal
  namespace: vault
spec:
  rules:
  - host: something.internal.example.com
    http:
      paths:
      - backend:
          service:
            name: service
            port:
              number: port
        path: /
        pathType: Prefix
   tls:
     - secretName: something-internal-tls
       hosts:
         - something.internal.example.com  

Answer 1

Google-managed SSL certificates aren't supported for internal HTTP(s) LB currently. You can refer to this documentation.

You can actually consider this to manage and store SSL certificates as secrets using Google Cloud Secret Manager.

You can also consider this workaround if you really want to to use Google-managed certificate to an Internal HTTP(s) load balancer configuration by uploading an SSL certificate from a certificate authority (CA). Please follow the steps below :

1. Use or generate a self-signed certificate or the acquired SSL certificate from a CA. If you prefer CA, you must follow the guide/steps on how to obtain a certificate.

2. Using your GCP Console or the "gcloud" command, go to your Internal HTTP(S) Load Balancer's configuration. It has an option to upload the SSL certificate and input other details (certificate and private key).

3. Setup your load balancer (Internal HTTP(s)) with your preferred backend services and health checks. Make sure that your SSL settings are configured to enable HTTP(s) traffic.