K
Q

Is it possible to point a GKE K8 ingress point to a LB backend

5/22/2019

The way I have my services set up is the following:

deployment (2 pods) -> load balancer routes to this deployment -> ingress point terminating https pointing to the load balancer as the backend.

So far it's serving the correct cert, but for some reasons it's pointing to the "wrong" backend. On the GKE wbeconsole it just says my backend services are unhealthy, once I click on them they don't exist. What am I doing wrong here?

[stupifatcatslaptop poc (dev)]$  kubectl get pods -o wide | grep my_project
my_project-flask-poc-696f7b57c5-54n6r         1/1       Running            0          13d       10.236.1.228   gke-qus1-shared-1-prod-default-pool-44da43de-vq4c
my_project-flask-poc-696f7b57c5-m57h7         1/1       Running            0          13d       10.236.0.16    gke-qus1-shared-1-prod-default-pool-b27de1c2-2h63
[stupifatcatslaptop poc (dev)]$ kubectl get services | grep my_project
my_project-flask-poc-lb                     LoadBalancer   {internal_ip_0}   {internal_ip_1}   8080:32133/TCP               33d
[stupifatcatslaptop poc (dev)]$ kubectl get ingress
NAME                       HOSTS                          ADDRESS          PORTS     AGE
my_project-flask-poc-ingress   my_project-flask-poc.mydomain.com   {external_ip}   80, 443   1d

This is my ingress yaml file

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my_project-flask-poc-ingress
spec:
  tls:
  - secretName: my_project-poc-tls
  rules:
  - host: my_project-flask-poc.mydomain.com
    http:
      paths:
      - backend:
          serviceName: my_project-flask-poc-lb
          servicePort: 8080

deployment yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my_project-flask-poc
  labels:
    app: my_project-flask-poc
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: my_project-flask-poc
    spec:
      containers:
        - name: my_project-flask-poc
          image: gcr.io/myprojectid/my_project-flask-poc
          ports:
            - containerPort: 8080
          volumeMounts:
          - name: secrets
            mountPath: "/etc/secrets"
            readOnly: true
      volumes:
      - name: secrets
        secret:
          secretName: my_project-secret-poc

lb service yaml

apiVersion: v1
kind: Service
metadata:
  name: my_project-flask-poc-lb
  annotations:
    cloud.google.com/load-balancer-type: "Internal"
spec:
  type: LoadBalancer
  loadBalancerIP: {someinternalip} 
  selector:
    app: my_project-flask-poc
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080
-- Stupid.Fat.Cat
google-kubernetes-engine
kubernetes

Similar Questions

How to invoke the Pod proxy verb using the Kubernetes Go client?
How to stop kubernetes from reporting to usage.projectcalico.org?
Helm Config-Map with yaml file
How to run systemctl in a pod

1 Answer

7/15/2019

When it comes to GKE, only GCE ingress type manages your SSL certificates, hence, is the only option that has LB-level SSL termination.

For Kubernetes' service type load balancer, you will find that a Network Load Balancer is attached to the cluster. For this type of load balancer, the SSL termination must be handled in the backend.

This is because SSL certificates are managed by layer 7 applications and the Network Load Balancer is working at layer 4, as pointed in a previously shared answer.

-- yyyyahir
Source: StackOverflow