I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress
My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.
This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE. Any idea on how I can fix or debug this further?
k8s/staging/staging-ssl.yml
7 apiVersion: extensions/v1beta1
8 kind: Ingress
9 metadata:
10 name: my-staging-lb-ingress
11 annotations:
12 kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
14 kubernetes.io/ingress.allow-http: "false"
15 spec:
16 rules:
17 - host: staging.my-app.no
18 http:
19 paths:
20 - path: /*
21 backend:
22 serviceName: my-svc
23 servicePort: 3001
Reserved IP
$ gcloud compute addresses list
NAME REGION ADDRESS STATUS
my-staging-global 35.244.160.NNN RESERVED
$ host staging.my-app.no
35.244.160.NNN
$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl
creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
domainStatus:
staging.my-app.no: FAILED_NOT_VISIBLE
domains:
- staging.my-app.no
status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGEDI found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:
Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.
gcloud compute target-https-proxies create [NAME] \
--url-map=[URL_MAP] \
--ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]
Is that necessary when I have this line in my Ingress config?
13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
As per the following documentation which you provided, this should help you out:
The status FAILED_NOT_VISIBLE indicates that certificate provisioning failed for a domain because of a problem with DNS or the load balancing configuration. Make sure that DNS is configured so that the certificate's domain resolves to the IP address of the load balancer.
In my case I needed alter the healthcheck and point it to the proper endpoint ( /healthz on nginx-ingress) and after the healtcheck returned true I had to make sure the managed certificate was created in the same namespace as the gce-ingress. After these two things were done it finally went through, otherwise I got the same error. "FAILED_NOT_VISIBLE"
I'm leaving this for anyone who might end up in the same situation as me. I needed to migrate from a self-managed certificate to a google-managed one.
I did create the google-managed certificate following the guide and was expecting to see it being activated before applying the certificate to my Kubernetes ingress (to avoid the possibility of a downtime)
Turns out, as stated by the docs,
the target proxy must reference the Google-managed certificate resource
So applying the configuration with kubectl apply -f ingress-conf.yaml made the load balancer use the newly created certificate, which became active shortly after (15 min or so)
What is the TTL (time to live) of the A Resource Record for staging.my-app.no? Use, e.g.,
dig +nocmd +noall +answer staging.my-app.noto figure it out.
In my case, increasing the TTL from 60 seconds to 7200 let the domainStatus finally arrive in ACTIVE.
In addition to the other answers, when migrating from self-managed to google-managed certs I had to:
kubernetes.io/ingress.allow-http: trueI also had an expired original SSL cert, though I'm not sure this mattered.
It turns out that I had mistakenly done some changes to the production environment and others to staging. Everything worked as expected when I figured that out and followed the guide. :-)