Enable HTTPS on GCE/GKE

Question

I am running web site with Kubernetes on Google Cloud. At the moment, everything is working well - through http. But I need https. I have several services and one of them is exposed to the outside world, let's call it web. As far as I know, this is the only service that needs to be modified. I tried to creating a static IP and TCP/SSL loadbalancer ssl-LB in the Networking section of GCP and using that LB in web.yaml, which I create. Creating the service gets stuck with:

Error creating load balancer (will retry): Failed to create load 
balancer for service default/web: requested ip <IP> is 
neither static nor assigned to LB
aff3a4e1f487f11e787cc42010a84016(default/web): <nil>

According to GCP my IP is static, however. The hashed LB I cannot find anywhere and it should be assigned to ssl-LB anyway. How do I assign this properly?

More details:

Here are the contents of web.yaml

apiVersion: v1
kind: Service
metadata:
name: web
labels:
  ...
spec:
  type: LoadBalancer
  loadBalancerIP: <RESERVED STATIC IP> 
ports:
- port: 443
  targetPort: 7770
selector:
  ...
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: web
spec:
  replicas: 1
  template:
    metadata:
      labels:
        ...
  spec:
    containers:
    - name: web
      image: gcr.io/<PROJECT>/<IMAGE NAME>
      ports:
      - containerPort: 7770

Answer 1

Since you have not mentioned this already, I'm just assuming you're using Google Container Engine (GKE) for your Kubernetes setup.

In the service resource manifest, if you set the Type to LoadBalancer, Kubernetes on GKE automatically sets up Network load balancing (L4 Load balancer) using GCE. You will have to terminate connections in your pod using your own custom server or something like nginx/apache.

If your goal is to set up a (HTTP/HTTPS) L7 load balancer (which looks to be the case), it will be simpler and easier to use the Ingress resource in Kubernetes (starting with v1.1). GKE automatically sets up a GCE HTTP/HTTPS L7 load balancing with this setup.

You will be able to add your TLS certificates which will get provisioned on the GCE load balancer automatically by GKE.

This setup has the following advantages:

1. Specify services per URL path and port (it uses URL Maps from GCE to configure this).
2. Set up and terminate SSL/TLS on the GCE load balancer (it uses Target proxies from GCE to configure this).
3. GKE will automatically also configure the GCE health checks for your services.

Your responsibility will be to handle the backend service logic to handle requests in your pods.

More info available on the GKE page about setting up HTTP load balancing.

Remember that when using GKE, it automatically uses the available GCE load balancer support for both the use cases described above and you will not need to manually set up GCE load balancing.