Be careful here so you don't waste too much time. If you are thinking about using the GKE ManagedCertificate resource type, then you can't. These can only be used with ingresses, that we cannot use, and they will only sign certificates you own the domain for. We require internal kubernetes domain names (that no one can ever own) and localhost.
In theory, if the platform ever allowed it in a generic way, we could do TLS termination at a load-balancer, and that would work, because it only exposes your own public domain.
If I've got it completely wrong, do give me an idea of what you are thinking!