Why GKE shows backend instances not healthy?
10/18/2021
Following this blog post I created a GKE Kubernetes cluster.
Successively I deployed Keycloak istances and if I use a load balancer:
apiVersion: v1
kind: Service
metadata:
labels:
app: load-balancer
name: load-balancer
namespace: keycloak
spec:
type: LoadBalancer
ports:
- port: 8080
protocol: TCP
targetPort: 8080
name: keycloak
selector:
app: keycloakI can reach Keyclok.
After that following the Google documentation I created an Ingress for accessing to Keycloak with HTTPS:
managed-certificate.yaml
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
name: managed-cert
namespace: keycloak
spec:
domains:
- mydomain.com
- www.mydomain.comkeycloak-service.yaml
apiVersion: v1
kind: Service
metadata:
name: keycloak-service
namespace: keycloak
annotations:
cloud.google.com/neg: '{"ingress": true}'
spec:
selector:
app: keycloak
type: NodePort
ports:
- protocol: TCP
port: 443
targetPort: 8443
externalTrafficPolicy: Clusteringress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: managed-cert-ingress
namespace: keycloak
annotations:
kubernetes.io/ingress.global-static-ip-name: keycloak
networking.gke.io/managed-certificates: managed-cert
kubernetes.io/ingress.class: "gce"
spec:
defaultBackend:
service:
name: keycloak-service
port:
number: 443I added liveness and readiness probes to the deployment definition of keycloak too.
But with this configuration GKE says that backend istances ar unhealthy, even if they are healthy and running:
I've read in some related questions on StackOverflow that is a issue with NAG. Should I add the firewall rules for NAG and Ingress? If it is the point, which could be the rules?
EDIT: keycloak-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak-deployment
namespace: keycloak
labels:
app: keycloak
spec:
replicas: 2
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:latest
env:
- name: DB_VENDOR
value: "POSTGRES"
- name: DB_ADDR
value: "postgres"
- name: DB_DATABASE
value: "keycloak"
- name: DB_USER
value: "keycloak"
- name: DB_SCHEMA
value: "public"
- name: DB_PASSWORD
value: "password"
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "password"
- name: KEYCLOAK_STATISTICS
value: all
- name: JDBC_PARAMS
value: "useSSL=false"
- name: JGROUPS_DISCOVERY_PROTOCOL
value: "JDBC_PING"
- name: JGROUPS_DISCOVERY_PROPERTIES
value: datasource_jndi_name=java:jboss/datasources/KeycloakDS,info_writer_sleep_time=500,initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"
resources:
limits:
memory: 512Mi
cpu: "1"
requests:
memory: 256Mi
cpu: "0.2"
startupProbe:
httpGet:
path: /health
port: 9990
initialDelaySeconds: 120
failureThreshold: 30
periodSeconds: 10
livenessProbe:
httpGet:
path: /health
port: 9990
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: 9990
successThreshold: 3-- Kambei
gke-networking
google-kubernetes-engine
kubernetes
kubernetes-ingress