K
Q

How to fix catch-22 with GCLB and Wordpress returning 301

11/12/2019

I have setup a Kubernetes cluster on GKE. Installed the stable/wordpress Helm chart. Added an Ingress with a SSL certificate. But now the Google load balancer reports that my service is unhealthy. This is caused by the Wordpress pod that returns a 301 on the health check because it wants to enforce HTTPS, which is good. But the Google load balancer refuses to send a x-forwarded-proto: https header. So the pod thinks the health check was done over http. How can I work around this?

I have tried to add an .htaccess which always returns 200 for the GoogleHC User-agent but this is not possible with the helm chart which overrides the .htaccess after start-up.

Also see: https://github.com/kubernetes/ingress-gce/issues/937 and https://github.com/helm/charts/issues/18779

-- meerlol
google-cloud-platform
google-kubernetes-engine
kubernetes
wordpress

Similar Questions

how to send kubectl logs output over mail in azure devops
How to properly label and configure Kubernetes to use Nvidia GPUs?
Compatibility between Kubernetes and Linux
Stateful Pod hostname doesn't resolve
GraphDB Free - Commercial Use and Helm

2 Answers

11/12/2019

WAY : 1

If you are using Kubernetes cluster on GKE then you can use ingress indirectly it will create the Loadbalancer indirectly.

You can add SSL certificate store it inside secret and apply to ingress. For SSL you can also choose another approach to install cert-manager on GKE.

If you want to setup nginx-ingress with cert-manager you can follow this guide also :

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes

WAY : 2

Edit the helm chart locally add the liveness & readinesss probe to deployment and it will check wordpress health checkup over http only.

Update :

To add x-forwarded-proto in ingress you can use this annotation

nginx.ingress.kubernetes.io/server-snippet: |
      location /service {
        proxy_set_header X-Forwarded-Proto https;
      }
-- Harsh Manvar
Source: StackOverflow
11/12/2019

As the HTTPS load balancer terminates the client SSL/TLS session at the LB, you would need to configure HTTPS between the load balancer and your application (wordpress). Health checks use HTTP by default, to use HTTPS health checks with your backend services, the backend services would also require their own SSL/TLS certificate(See #4 of HTTP load balancing which HTTPS load balancing inherits). To make the backend certificates simpler to configure, you can use self-signed certificates, which do not interfere with any client <-> load balancer encryption as the client session is terminated at the LB.

You can of course use HTTP health checks (less configuring!) for your backend(s), this will not cause any client traffic encryption issues, as it only affects the health check and not the data being sent to your application.

-- TheRovinRogue
Source: StackOverflow