Adding >15 certs to GKE ingress

Question

Adding >15 certs to GKE ingress

Closed this issue 3 years ago · 6 comments

I'm using managed certs (1 domain/cert) with a kubernetes ingress on GKE, and am running into the limit of not being able to add more than 15 certs to the ingress.

Is there a work around to point more than 15 domains at a GKE cluster or is that not possible using managed certs?

Answer 1 · 2020-01-02T18:07:36.000Z

I also just ran into this issue. Isn't there some quota one can increase?

Only allowing a single domain per certificate and then severely limiting the number of certificates is a bit strange. Domain with and without www uses up two certs already...

Answer 2 · 2020-01-22T15:43:16.000Z

The quota is 15 certificates per frontend-configuration for a given google load balancer. If you add more frontend configurations, i.e. more IPv4 / IPv6-adresses you can add additional certificates. I haven't tested this with managed certificates though.

Answer 3 · 2020-03-27T16:33:06.000Z

0.4.2 / GKE 1.16.5-gke.1+ supports multi-SAN using ManagedCertificate v1beta2

It is not possible to add more than 15 certificates to a single load balancer.

Answer 4 · 2020-03-27T16:51:45.000Z

This made my day. Have a great weekend

Answer 5 · 2020-07-31T17:25:34.000Z

While multi san support is great if you're setting up a bunch of domains all at once, there is still the issue where you can not edit a managed cert to update it to add additional domains after it's been created.

Per @YngveMolnes comment about adding more front end configurations, I've since been able to test this with Managed Certs and can confirm that it works.

While Google's GKE support insists that the max # of managed cert annotations that can be added to an ingress is 15, I've successfully exceed that limit by adding additional IPs, Forwarding Rules, and Target Proxies to a cluster with a single annotated ingress.

Steps I used to get >15 managed certs on an ingress with multiple front end configurations:

have a GKE cluster configured with an Ingress with 15 cert annotations, with an existing HTTPS TP with 15 certs
create a new static IP
point DNS for your new domains to the new ip
create managed certs for new domains
get the URL map for your existing ingress, then use that to create a new HTTPS Target Proxy with the new certs
create a new HTTPS Forwarding Rule to map the new ip to the new HTTPS TP
add the additional cert annotations to the ingress yaml and apply the ingress
create a new global HTTP forwarding rule to facilitate the upgrade to HTTPS

Answer 6 · 2020-08-06T12:02:21.000Z

There are two limits: a hard limit of 15 certificates per load balancer, and a quota-controlled limit of number of certificates per project.