I found this example of setting up a service to do SSL termination on a backend service as opposed to on the ingress controller, but I don't see where to specify which certificate to use. I'd like to use a certificate I already have in my Google cloud certificate store. Where do I set that? How does this example work without a certificate?
https://github.com/kubernetes/ingress-gce/blob/master/examples/backside-https/app.yaml
More information about frontend vs backend HTTPS: https://github.com/kubernetes/ingress-gce/blob/master/README.md#frontend-https
If the backend service is using a certificate signed by a public CA, then nothing needs to be done. The GKE ingress is just like any other client to your backend- it knows about various certificate authorities and it can verify that your backend certificate was signed by one of those authorities.
If however the certificate in your certificate store is a client certificate, meaning that you want GKE to be authenticating using that certificate to your backend, not sure that is possible.
There is a way to instruct nginx to use client certificates, something along the lines of this answer, which uses self-signed certificates:
https://serverfault.com/a/717926/370529
And there is a way to provide those snippets to an nginx ingress controller. But GKE does not use nginx. I don't know of a way to do the same with the GKE ingress controller.