I was configuring the gce ingress on my kubernetes cluster and I specified a Django application as default backend. The app enforces HTTPS so if you try to do a simple HTTP request Django will return a 301. Obviously HTTP health check will not pass. I was following this example to enable the HTTPS health check. Once the health check was spawned I manually edited the path in compute engine but from the Django app logs it seems that it hasn't received any requests, so it results UNHEALTHY and I can't get the ingress to work.
How can I make the health check to work in this case?
Configuration:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.global-static-ip-name: web-static-ip
spec:
tls:
- hosts:
- foo.domain.it
secretName: production-tls
backend:
serviceName: app
servicePort: app-https
apiVersion: v1
kind: Service
metadata:
name: app
annotations:
service.alpha.kubernetes.io/app-protocols: '{"app-https":"HTTPS"}'
labels:
component: app
role: web
spec:
type: NodePort
ports:
- port: 12345
targetPort: 8000
protocol: TCP
name: app-https
selector:
component: app
role: web
type: LoadBalancer
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: app
labels:
component: app
role: web
spec:
replicas: 1
template:
metadata:
labels:
component: app
role: web
spec:
containers:
- name: app
image: [my-image]
imagePullPolicy: Always
ports:
- containerPort: 8000
envFrom:
- configMapRef:
name: app-config
When you click on your health check (Network services > Load Balancer > click on your health check name) what does it show under 'port'?
It needs to be the value of the NodePort.
When you run the following what is the value of the NodePort for service 'app-https'?
kubectl get services
It should generated an output containing something like this:
12345:32605/TCP
In this example, 32605 would be the NodePort, and this is the value that should be in the 'port' section of the health check.
Couple of things to check:
1) Does the Django app actually listen for HTTPS on port 8000 (you have not specified a TLS certificate secret for the app itself)?
2) You have not specified a readiness probe for the app (which is used for GCE HTTP LB health checking, too), see the example you posted for configuring a HTTPS health check: https://github.com/kubernetes/ingress-gce/blob/master/examples/backside-https/app.yaml
As a workaround, I disabled the DJANGO_SECURE_SSL_REDIRECT
and forced the ingress to accept only HTTPS request in case of GCE ingress. kubernetes.io/ingress.allow-http: "false"
If you are using NGINX as ingress just set nginx.ingress.kubernetes.io/ssl-redirect: "True"