https://brtkwr.com/tags/gateway-api/Recent content in Gateway-Api on brtkwr.comHugoenThu, 28 May 2026 10:00:00 +0000https://brtkwr.com/posts/2026-05-28-cert-manager-vs-google-certificate-manager-for-gke-gateway/Thu, 28 May 2026 10:00:00 +0000https://brtkwr.com/posts/2026-05-28-cert-manager-vs-google-certificate-manager-for-gke-gateway/<h2 id="tldr"> TL;DR <a class="heading-link" href="#tldr"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>I had a Kubernetes service exposed via two different gateway flavours on different clusters. Two of them used an istio <code>Gateway</code> with TLS terminated in-pod, where cert-manager handed it a wildcard cert via a regular <code>Secret</code>. The third used a GKE-managed <code>Gateway</code> (<code>gatewayClassName: gke-l7-global-external-managed</code>), where TLS terminates at a Google Cloud Load Balancer that does not read Kubernetes Secrets. For that one I had to use Google Certificate Manager with a DNS-01 authorisation, then point the Gateway at the resulting cert map via a <code>networking.gke.io/certmap</code> annotation. cert-manager does not fit this path.</p>