networking.gke.io/managed-certificates annotation, pointing DNS for my domain to the Load Balancer IP (described here: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs) and waiting for the LB to validate the domain.

 

It works, but the drawback is that it can take a while to produce the cert and there's downtime whilst migrating sites. For me a better solution is DNS authorised certs, which I can create with Certificate Manager, as described here: https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth. The problem is that so far as I can see you can't reference in the Ingress and have to assign the certificate to a certificate map, which you then assign to a target proxy that the load balancer uses. I understand from the note here (https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#ingress_for_external_and_internal_t... that Ingress controllers can overwrite Load Balancer properties, so I assume the target proxy could be recreated or something else unexpected could happen and I lose the cert. I've tried it and it works initially, but then I get syncing errors with the load balancer from the Ingress controller when I make a change, which I assume is a symptom of this. 

 

It feels like I must be missing something here - any ideas welcome. Thanks in advance.