K
Q

Google Kubernetes Engine Ingress TLS doesn't work

10/8/2018

Using gitlab auto DevOps CI, it had set up ingress controller:

spec:
  rules:
  - host: api.example.com
    http:
      paths:
      - backend:
          serviceName: production-auto-deploy
          servicePort: 5000
        path: /
  tls:
  - hosts:
    - api.example.com
    secretName: production-auto-deploy-tls
status:
  loadBalancer:
    ingress:
    - ip: xxx.xxx.xxx.xxx

http://api.example.com works great, but https://api.example.com first gives me certificate error, and then after I add the exception I get 404 from Google Kubernetes Engine.

Why is the TLS certificate not configured right?

Why doesn't it direct the host to the service?

Load balancer

apiVersion: v1
kind: Service
spec:
  clusterIP: xxx.xxx.xxx.xxx
  externalTrafficPolicy: Cluster
  ports:
  - name: http
    nodePort: 30408
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    nodePort: 31101
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app: nginx-ingress
    component: controller
release: ingress

sessionAffinity: None type: LoadBalancer status: loadBalancer: ingress: - ip: xxx.xxx.xxx.xxx

Ingress

apiVersion: v1
kind: Service
spec:
  clusterIP: xxx.xxx.xxx.xxx
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: http
  selector:
    app: nginx-ingress
    component: default-backend
    release: ingress
  sessionAffinity: None
  type: ClusterIP

status:
  loadBalancer: {}
-- itaied
gitlab
google-kubernetes-engine
kubernetes
kubernetes-ingress

Similar Questions

GKE - Kube-DNS resolution to VPN network
What exactly is a headless service, what does it do/accomplish, and what are some legitimate use cases for it?
Kubernetes Dashboard by kops on AWS show only json
Kubernetes - Create two containers in one pod
How to solve my problem with kubernetes and soap. Client cannot reach server

1 Answer

10/9/2018

Ok, At the end i understand what you do. You create NGINX service that that will balance over your services, as Ingress. I don't understand how NGINX service with CLUSTER_IP can be open to world and serve as ingress.

But here is plan what must be done to expose GKE service to WORLD. 1) configured service with clusterIp, that will be listen available inside k8s cluster 2) configured ingress rules. 3) In case you want use optional ingress controller on GKE, Install your controller. Here is example how this may work on GCLB.(in case of GCLB, service must be exposed on NodePort, bad design)

service apiVersion: v1 kind: Service labels: app: service-nm name: service-name namespace: your-nm spec: externalTrafficPolicy: Cluster ports: - nodePort: 30200 port: 80 protocol: TCP targetPort: 3001 selector: app: operator sessionAffinity: None type: NodePort Igress apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: false ingress.gcp.kubernetes.io/pre-shared-cert: np-ssl-certificate spec: rules: - host: your domain-name http: paths: - backend: serviceName: your-sn servicePort: 80 - host: your-domain-name For more details how install nginx on GKE https://cloud.google.com/community/tutorials/nginx-ingress-gke

-- Grigoriev Nick
Source: StackOverflow