Enabling SSL on kubernates in GCE

8/31/2017

I'm in the process of enabling HTTPS to our kubernates clusters in GCE. I'm trying to utilize kubernates Ingress

I have the cert and priv key, and I have created a secret with these appended (ssl-secret):

apiVersion: v1
kind: Secret
metadata:
  name: ssl-secret
type: Opaque
data:
  tls.crt: LS0tLS...
  tls.key: Mc0c4t...

I also have an Ingress utilizing the secret (ssl-ingress):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ssl-ingress
spec:
  backend:
    serviceName: client # Name of the service
    servicePort: my-https-port # Fetched from annotations
  tls:
  - hosts:
    - test.domain.se # My domain address
    secretName: ssl-secret # Name of my previously created secret

Finally, I try to apply these to my cluster with the following setup:

apiVersion: v1
kind: Service
metadata:
  name: client
  annotations:
    service.alpha.kubernetes.io/app-protocols: '{"my-https-port":"HTTPS"}'   # Must map port-name to HTTPS for the GCP ingress controller
  labels:
    app: client-pods
spec:
  type: NodePort
  ports:
    - port: 12345 #To my understanding, not used
      targetPort: client-https
      protocol: TCP
      name: my-https-port
  selector:
    name: client-pods

So, my goal is that using this setup, I would be able to reach test.domain.se on https://test.domain.se. But it just times out, while http://test.domain.se works just fine.

Describing the Ingress I get the following:

Name:                   ssl-ingress
Namespace:              default
Address:                35.186.253.27
Default backend:        client:my-https-port ()
TLS:
  ssl-secret terminates test.domain.se
Rules:

  Host  Path    Backends
  ----  ----    --------
  *     *       client:my-https-port ()
Annotations:
  static-ip:            k8s-fw-default-ssl-ingress--59114a8fc664f628
  target-proxy:         k8s-tp-default-ssl-ingress--59114a8fc664f628
  url-map:              k8s-um-default-ssl-ingress--59114a8fc664f628
  backends:             {"k8s-be-31894--59114a8fc664f628":"UNHEALTHY"}
  forwarding-rule:      k8s-fw-default-ssl-ingress--59114a8fc664f628
Events:
  FirstSeen     LastSeen        Count   From                    SubObjectPath   Type            Reason  Message
  ---------     --------        -----   ----                    -------------   --------        ------  -------
  7m            7m              1       loadbalancer-controller                 Normal          ADD default/ssl-ingress
  6m            6m              1       loadbalancer-controller                 Normal          CREATE  ip: 35.186.253.27
  6m            2m              18      loadbalancer-controller                 Warning         GCE googleapi: Error 400: The SSL key could not be parsed.
  6m            2m              18      loadbalancer-controller                 Warning         Service failed to identify user specified default backend, couldn't find nodeport for default/client, using system default

So my questions are the following:

Warning GCE googleapi: Error 400: The SSL key could not be parsed.

1: It seems like Ingress needs the priv key's passphrase. How do I add a passphrase to the secret (the key does have a known passphrase, but how do I inform the secret of it?)

Warning Service failed to identify user specified default backend, couldn't find nodeport for default/client, using system default

2: It claims that it could not find nodeport for default/client. I have the target service client already running, but itseems the ingress appends default/ before the service name. Why, and how do I specify the client service?

-- David Gustavsson
google-compute-engine
kubernetes
kubernetes-security
ssl

1 Answer

7/17/2018

I had the same issue. What I did was this

1) convert private key to RSA private key

openssl rsa -in private.key -out private_rsa.key

2) creating secret via command-line

kubectl create secret tls ingress-ssl --key private_rsa.key --cert certificate.crt

and using this secret in my Ingress.

-- Alamgir Qazi
Source: StackOverflow