K
Q

GKE Managed Certificate not serving over HTTPS

7/1/2019

I'm trying to spin up a Kubernetes cluster that I can access securely and can't seem to get that last part. I am following this tutorial: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs

Here are the .yaml files i'm using for my Ingress, Nodeport and ManagedCertificate

apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: client-v1-cert
spec:
  domains:
    - api.mydomain.com
---
apiVersion: v1
kind: Service
metadata:
  name: client-nodeport-service
spec:
  selector:
    app: myApp
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 3000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: api-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: api-v1
    networking.gke.io/managed-certificates: client-v1-cert
spec:
  backend:
    serviceName: client-nodeport-service
    servicePort: 80

No errors that I can see in the GCP console. i can also access my API from http://api.mydomain.com/, but it won't work when I try https, just not https. Been banging my head on this for a few days and just wondering if there's some little thing i'm missing.

--- UPDATE ---

Output of kubectl describe managedcertificate

Name:         client-v1-cert
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
API Version:  networking.gke.io/v1beta1
Kind:         ManagedCertificate
Metadata:
  Creation Timestamp:  2019-07-01T17:42:43Z
  Generation:          3
  Resource Version:    1136504
  Self Link:           /apis/networking.gke.io/v1beta1/namespaces/default/managedcer
tificates/client-v1-cert
  UID:                 b9b7bec1-9c27-33c9-a309-42284a800179
Spec:
  Domains:
    api.mydomain.com
Status:
  Certificate Name:    mcrt-286cdab3-b995-40cc-9b3a-28439285e694
  Certificate Status:  Active
  Domain Status:
    Domain:     api.mydomain.com
    Status:     Active
  Expire Time:  2019-09-29T09:55:12.000-07:00
Events:         <none>
-- delashum
google-cloud-platform
kubernetes

Similar Questions

AKS URL Rewrite Angular
Traefik with Racher Nginx ingress 504 Gateway Time-out
Kubernetes-Helm Charts pointing to a local docker image
Kubernetes backend container only available through REST service
Serving static assets in kubernetes with ingress-nginx
Kuberentes AWS cloud provider
Can not create ReadWrite filesystem in kubernetes (ReadOnly mount)

1 Answer

7/2/2019

I figured out a solution to this problem. I ended up going into my GCP console, locating the load balancer associated with the Ingress, and then I noticed that there was only one frontend protocol, and it was HTTP serving over port 80. So I manually added another frontend protocol for HTTPS, selected the managed certificate from the list, and waited about 5 minutes and everything worked.

I have no idea why my ingress.yaml didn't do that automatically though. So though the problem is fixed if there is anyone out there who knows what I would love to know.

-- delashum
Source: StackOverflow