gce-ingress HTTPS backend

5/10/2018

I was configuring the gce ingress on my kubernetes cluster and I specified a Django application as default backend. The app enforces HTTPS so if you try to do a simple HTTP request Django will return a 301. Obviously HTTP health check will not pass. I was following this example to enable the HTTPS health check. Once the health check was spawned I manually edited the path in compute engine but from the Django app logs it seems that it hasn't received any requests, so it results UNHEALTHY and I can't get the ingress to work.

How can I make the health check to work in this case?

Configuration:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.global-static-ip-name: web-static-ip
spec:
  tls:
  - hosts:
    - foo.domain.it
    secretName: production-tls
  backend:
    serviceName: app
    servicePort: app-https

apiVersion: v1
kind: Service
metadata:
  name: app
  annotations:
    service.alpha.kubernetes.io/app-protocols: '{"app-https":"HTTPS"}'
  labels:
    component: app
    role: web
spec:
  type: NodePort
  ports:
  - port: 12345
    targetPort: 8000
    protocol: TCP
    name: app-https
  selector:
    component: app
    role: web
  type: LoadBalancer

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: app
  labels:
    component: app
    role: web
spec:
  replicas: 1
  template:
    metadata:
      labels:
        component: app
        role: web
    spec:
      containers:
        - name: app
          image: [my-image]
          imagePullPolicy: Always
          ports:
          - containerPort: 8000
          envFrom:
          - configMapRef:
              name: app-config
-- Girbons
django
google-cloud-platform
google-kubernetes-engine
kubernetes

3 Answers

5/15/2018

When you click on your health check (Network services > Load Balancer > click on your health check name) what does it show under 'port'?

It needs to be the value of the NodePort.

When you run the following what is the value of the NodePort for service 'app-https'?

kubectl get services

It should generated an output containing something like this:

12345:32605/TCP

In this example, 32605 would be the NodePort, and this is the value that should be in the 'port' section of the health check.

-- neilH
Source: StackOverflow

5/10/2018

Couple of things to check:

1) Does the Django app actually listen for HTTPS on port 8000 (you have not specified a TLS certificate secret for the app itself)?

2) You have not specified a readiness probe for the app (which is used for GCE HTTP LB health checking, too), see the example you posted for configuring a HTTPS health check: https://github.com/kubernetes/ingress-gce/blob/master/examples/backside-https/app.yaml

-- Jukka
Source: StackOverflow

8/22/2018

As a workaround, I disabled the DJANGO_SECURE_SSL_REDIRECT and forced the ingress to accept only HTTPS request in case of GCE ingress. kubernetes.io/ingress.allow-http: "false"

If you are using NGINX as ingress just set nginx.ingress.kubernetes.io/ssl-redirect: "True"

-- Girbons
Source: StackOverflow