Google Cloud Load Balancer enforce HTTP, not HTTPS, using Kubernetes Ingress

Question

I'm trying to deploy a Docker container that exposes a simple Docker server, a clone of the httpbin.org service in the Google Container Engine (Kubernetes).

This is the Service definition I'm using:

apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  type: LoadBalancer
  ports:
  - port: 80
    targetPort: 3000
    protocol: TCP
name: http
selector:
  app: httpbin

The ingress is defined as:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: httpbin-tls
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "http-bin-static-ip"
spec:
  tls:
  - secretName: positive-ssl
  backend:
    serviceName: httpbin
    servicePort: 80

In the Services/Ingress dashboards I can see two IPs, the one bound directly to the Service (ephemeral) and the Static IP bound to the Ingress. Calling them both directly on port 80 works like a charm.

After that done, I've created an A record for the Static IP and ensured the Load Balancer was OK in the GKE dashboard:

The HTTPS endpoint should be working according to a lot of tutorials and manuals I checked, but it's not! Every call to HTTPS gets redirected (301) to the HTTP port.

The output from the curl -v:

* Rebuilt URL to: https://httpbin-1.mydomain.com/
*   Trying XXX.XX.XX.XX...
* TCP_NODELAY set
* Connected to httpbin-1.mydomain.com (XXX.XX.XX.XX) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate: mydomain.com
* Server certificate: COMODO ECC Domain Validation Secure Server CA 2
* Server certificate: COMODO ECC Certification Authority
> GET / HTTP/1.1
> Host: httpbin-1.mydomain.com
> User-Agent: curl/7.51.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 03 Mar 2017 18:01:23 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Fri, 03 Mar 2017 19:01:23 GMT
< Location: http://httpbin-1.mydomain.com/
< 
* Curl_http_done: called premature == 0
* Connection #0 to host httpbin-1.mydomain.com left intact

I did not create any auto redirection of any kind, followed strictly the official manuals (from Kubernetes and GKE) but I'm unable to go beyond this. Even tried to recreate the whole stack from ground up, a new cluster, new load balancers, but got the same results.

What am I missing? Tks!

Could you show the secret file without the real values? I'm interested in the keys you're using. — Gambo
What do you mean by the "secret file"? The SSL certificate? I've already used the same certificate in AWS, and also checked with SSL diagnostics, the certificate is fine. — Luís Brito

Norbert van Nobelen Norbert van Nobelen · Accepted Answer · 2017-03-06T21:15:59

AFAIK GLB can not do correct forwarding for you. You will have to use a webserver in the service after the ingress to solve that scenario.

Your current behavior seems to be caused by

annotations: kubernetes.io/ingress.global-static-ip-name: "http-bin-static-ip"

Remove that part from your ingress and you should see your https session be terminated at your ingress.

Google Cloud Load Balancer enforce HTTP, not HTTPS, using Kubernetes Ingress

1 Answers