How do I configure the Google Computing Engine (GKE) L7 load balancer to serve HTTPS?
I have made HTTP work, but when I configure for TLS as described in the guide, it does not respond to HTTPS requests. Specifically, the spec.tls
section should ensure that the load balancer makes use of HTTPS.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: l7-ingress
spec:
tls:
- secretName: web-secret
backend:
serviceName: web
servicePort: 8080
✗ kubectl describe ing
Name: l7-ingress
Namespace: default
Address: 130.211.11.24
Default backend: web:8080 (10.32.2.5:8080)
TLS:
web-secret terminates
Rules:
Host Path Backends
---- ---- --------
Annotations:
target-proxy: k8s-tp-default-l7-ingress
url-map: k8s-um-default-l7-ingress
backends: {"k8s-be-32051":"HEALTHY"}
forwarding-rule: k8s-fw-default-l7-ingress
No events.
✗ kubectl logs --namespace=kube-system l7-lb-controller-v0.6.0-fbj20 -c l7-lb-controller
I0420 13:46:15.089090 1 main.go:159] Starting GLBC image: glbc:0.6.0
I0420 13:46:16.149998 1 gce.go:245] Using existing Token Source &oauth2.reuseTokenSource{new:google.computeSource{account:""}, mu:sync.Mutex{state:0, sema:0x0}, t:(*oauth2.Token)(nil)}
I0420 13:46:16.150399 1 controller.go:190] Starting loadbalancer controller
I0420 14:37:02.033271 1 event.go:211] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"l7-ingress", UID:"585651e5-0705-11e6-88d0-42010af0005e", APIVersion:"extensions", ResourceVersion:"2367", FieldPath:""}): type: 'Normal' reason: 'ADD' default/l7-ingress
I0420 14:37:02.227796 1 instances.go:56] Creating instance group k8s-ig
I0420 14:37:06.166686 1 gce.go:1654] Adding port 32051 to instance group k8s-ig with 0 ports
I0420 14:37:06.834215 1 backends.go:116] Creating backend for instance group k8s-ig port 32051 named port &{port32051 32051 []}
I0420 14:37:07.036501 1 healthchecks.go:49] Creating health check k8s-be-32051
I0420 14:37:16.305240 1 gce.go:1654] Adding port 30007 to instance group k8s-ig with 1 ports
I0420 14:37:16.911701 1 backends.go:116] Creating backend for instance group k8s-ig port 30007 named port &{port30007 30007 []}
I0420 14:37:17.108589 1 healthchecks.go:49] Creating health check k8s-be-30007
I0420 14:37:25.213110 1 loadbalancers.go:128] Creating l7 default-l7-ingress
I0420 14:37:26.038349 1 loadbalancers.go:288] Creating url map k8s-um-default-l7-ingress for backend k8s-be-30007
I0420 14:37:30.305857 1 loadbalancers.go:304] Creating new http proxy for urlmap k8s-um-default-l7-ingress
I0420 14:37:34.643141 1 loadbalancers.go:397] Creating forwarding rule for proxy [k8s-tp-default-l7-ingress] and ip :80-80
I0420 14:37:43.301563 1 controller.go:325] Updating loadbalancer default/l7-ingress with IP 130.211.11.24
I0420 14:37:43.329469 1 event.go:211] Event(api.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"l7-ingress", UID:"585651e5-0705-11e6-88d0-42010af0005e", APIVersion:"extensions", ResourceVersion:"2367", FieldPath:""}): type: 'Normal' reason: 'CREATE' ip: 130.211.11.24
Due to a likely bug in Kubernetes, one must first delete the ingress and then re-create it (rather than doing kubectl replace
as I did):
kubectl delete -f ingress.yaml
kubectl create -f ingress.yaml
This should work http://blog.kubernetes.io/2016/03/Kubernetes-1.2-and-simplifying-advanced-networking-with-Ingress.html, running kubectl describe on the ingress should show you what's been created, and kubectl logs on the ingress controller should show you what it's doing (the controller is running in the kube-system namespace). You need quota for static ips, since you will be allocated one when you specify a secret.
Since there are a bunch of different failure modes, reply to this and I can help debug.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With