I'm trying ASM(Anthos Service Mesh) to create a service mesh in the GKE.
I'm looking at the following steps, but do we need to use a self-signed certificate here?
In the following steps, you generate and install a certificate (as a Kubernetes secret resource) that enables the GFE to establish a TLS connection to the service mesh's ingress gateway. https://cloud.google.com/architecture/exposing-service-mesh-apps-through-gke-ingress/deployment#install_the_self-signed_ingress_gateway_certificate
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: asm-ingressgateway
namespace: asm-ingress
spec:
selector:
asm: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*" # IMPORTANT: Must use wildcard here when using SSL, see note below
tls:
mode: SIMPLE
credentialName: edge2mesh-credential # <- HERE
It would be easier to manage if I could replace it with the GKE ManagedCertificate or the GCP Managed SSL Certificate.
The GKE mode is autopilot, so we can't use ASM Gateway. It seems ASM Gateway can use networking.gke.io/pre-shared-certs: $GCP_COMPUTE_MANAGED_SSL_CERTIFICATE.
ref: https://cloud.google.com/service-mesh/docs/managed/service-mesh-cloud-gateway