Google Kubernetes Engine Ingress TLS doesn't work

0
votes

Using gitlab auto DevOps CI, it had set up ingress controller:

spec:
  rules:
  - host: api.example.com
    http:
      paths:
      - backend:
          serviceName: production-auto-deploy
          servicePort: 5000
        path: /
  tls:
  - hosts:
    - api.example.com
    secretName: production-auto-deploy-tls
status:
  loadBalancer:
    ingress:
    - ip: xxx.xxx.xxx.xxx

http://api.example.com works great, but https://api.example.com first gives me certificate error, and then after I add the exception I get 404 from Google Kubernetes Engine.

Why is the TLS certificate not configured right?

Why doesn't it direct the host to the service?

Load balancer

apiVersion: v1
kind: Service
spec:
  clusterIP: xxx.xxx.xxx.xxx
  externalTrafficPolicy: Cluster
  ports:
  - name: http
    nodePort: 30408
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    nodePort: 31101
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app: nginx-ingress
    component: controller
release: ingress

sessionAffinity: None type: LoadBalancer status: loadBalancer: ingress: - ip: xxx.xxx.xxx.xxx

Ingress

apiVersion: v1
kind: Service
spec:
  clusterIP: xxx.xxx.xxx.xxx
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: http
  selector:
    app: nginx-ingress
    component: default-backend
    release: ingress
  sessionAffinity: None
  type: ClusterIP

status:
  loadBalancer: {}
1
kubernetesgitlabgoogle-kubernetes-enginekubernetes-ingress
What is your Ingress controller? - Rico
It's the yml I attached. What do you mean exactly? - itaied
Those are the ingress rules from your Kubernetes ingress resource. the Ingress is object is managed by an ingress controller which can be something like traefik or nginx - Rico
Ok I see this now. It actually just name port 80. Do I need to set there the certificate or just add https port and the controller handle everything else? - itaied
@itaied different features and annotation might be supported or not depending on choosen Ingress controller: ingress by kubernetes, Nginx, Traefik - Konstantin Vustin

1 Answers

1
votes

Ok, At the end i understand what you do. You create NGINX service that that will balance over your services, as Ingress. I don't understand how NGINX service with CLUSTER_IP can be open to world and serve as ingress.

But here is plan what must be done to expose GKE service to WORLD. 1) configured service with clusterIp, that will be listen available inside k8s cluster 2) configured ingress rules. 3) In case you want use optional ingress controller on GKE, Install your controller. Here is example how this may work on GCLB.(in case of GCLB, service must be exposed on NodePort, bad design)

service apiVersion: v1 kind: Service labels: app: service-nm name: service-name namespace: your-nm spec: externalTrafficPolicy: Cluster ports: - nodePort: 30200 port: 80 protocol: TCP targetPort: 3001 selector: app: operator sessionAffinity: None type: NodePort Igress apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: false ingress.gcp.kubernetes.io/pre-shared-cert: np-ssl-certificate spec: rules: - host: your domain-name http: paths: - backend: serviceName: your-sn servicePort: 80 - host: your-domain-name For more details how install nginx on GKE https://cloud.google.com/community/tutorials/nginx-ingress-gke