I am using GKE Identity-aware proxy > L7 load balancer > Custom host and path rules. It works fine for the root-path. But it does not work for custom paths.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: basic-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: "my-static-ip"
spec:
rules:
- host: my.custom.org
http:
paths:
- path: /v1/*
backend:
serviceName: webv1
servicePort: 8080
- path: /v3/*
backend:
serviceName: webv3
servicePort: 8080
- path: /nginx/*
backend:
serviceName: nginx
servicePort: 80
- path: /*
backend:
serviceName: nginx
servicePort: 80Path / and /nginx/ works fine. /v2/ and /v3/ throws There was a problem with your request. Error code 11.
If I disable the IAP, everything works fine.
Environment:
Kubernetes version (use kubectl version): 1.12.7-gke.17
Cloud provider or hardware configuration: GKE
Setting up HTTP Load Balancing with Ingress @ https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer
Enabling Cloud IAP for GKE @ https://cloud.google.com/iap/docs/enabling-kubernetes-howto
This error code 11 is related to a misconfiguration of the OAuth client ID1.
I see that you the failing one are using a different serviceport. If you are serving the following 2 URLs from two different backends both may have IAP enabled but configured with different clientIds.
As of GCP does not support different clientIds for different paths, and the effort for IAP to use a single clientId across b/e services is underway. For now, if you can verify the clientId, and change it to a single one if they are different, that would work.
The recommended approach would be setting up an NGINX proxy. The ingress + IAP only have one service to deal with instead of two, and it will work like a charm.