I've followed GCP's guide to creating a managed SSL certificate for my subdomain <subdomain>.<domain>.dev.
My domain registrar is configured with the NS records:
ns-cloud-d1.googledomains.com.
ns-cloud-d2.googledomains.com.
ns-cloud-d3.googledomains.com.
ns-cloud-d4.googledomains.com.
My GCP project is managing the domain name using Cloud DNS with the following entries:
<domain>.dev. MX 3600
10 eforward1.registrar-servers.com.
10 eforward2.registrar-servers.com.
10 eforward3.registrar-servers.com.
15 eforward4.registrar-servers.com.
20 eforward5.registrar-servers.com.
<domain>.dev. NS 21600
ns-cloud-d1.googledomains.com.
ns-cloud-d2.googledomains.com.
ns-cloud-d3.googledomains.com.
ns-cloud-d4.googledomains.com.
<domain>.dev. SOA 3601
ns-cloud-d1.googledomains.com. <mail>. 2019032900 86400 7200 3600000 3601
<domain>.dev. TXT 3600
"v=spf1" "include:spf.efwd.registrar-servers.com" "~all"
<subdomain>.<domain>.dev. A 7200
<ingress-ip>
www.<domain>.dev. CNAME 1799
<domain>.dev.
Pinging <subdomain>.<domain>.dev resolves the expected IP of the target Ingress, and making requests to the application at http://<subdomain>.<domain>.dev works correctly.
So why does managed certificate provisioning fail with FAILED_NOT_VISIBLE?
Best Answer
My mistake was referencing the wrong name of the static IP resource in Ingress.
When creating the Ingress, a new global static IP was created. For some reason it was created with an autogenerated name like
k8s-fw-myapp-myapp-api--3b52739e6d618a1f, rather than the human readable name that I have assigned to it.Changing the Ingress annotation
kubernetes.io/ingress.global-static-ip-nameto the autogenerated name fixed the issue.