New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No frontend configured on load balancer #2

Open
rsouthgate opened this Issue Oct 1, 2018 · 8 comments

Comments

Projects
None yet
5 participants
@rsouthgate
Copy link

rsouthgate commented Oct 1, 2018

Pretty excited to see this out there so maybe I jumped the gun a bit but I can't get it to work with my cluster.

Upgraded cluster master to 1.10.7-gke.2, waited for that to propagate to all pods. Created Custom Resource Definition and Controller (removed the serviceAccountName: test-account line within the controller so it should just use default account).

Created the object:

apiVersion: gke.googleapis.com/v1alpha1
kind: ManagedCertificate
metadata:
  name: api-test-certificate
spec:
  domains:
    - apitest.mydomain.co

Edited my Ingress, deleted and created, so now based on this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: api-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: api-test-load-balancer
    kubernetes.io/ingress.allow-http: "false"      
    gke.googleapis.com/managed-certificates: api-test-certificate
spec:
  rules:
  ...

Result: LB gets created, but within GCP Dashboard I see the message 'This load balancer has no frontend configured.'

Within the K8s engine under the api-ingress details it seems stuck at 'creating ingress'.

I'm probably missing something critical!

@krzykwas

This comment has been minimized.

Copy link
Member

krzykwas commented Oct 10, 2018

Hi! This is actually still a work in progress, we are still before alpha release. Currently managed certificates will not work until my pull request to ingress-gce gets accepted.

The yaml files in the deploy directory are used for setting up environment for e2e tests and this setup works correctly. Are you sure the Ingress error isn't transient?

@michael34435

This comment has been minimized.

Copy link

michael34435 commented Oct 11, 2018

@krzykwas Hi, does it mean gke-managed-certs won't work on current GKE? I had tried it with GKE 1.10.7-gke.2 but LoadBalancer didn't allow me to use HTTP(S) protocol.

Thanks in advance.

@krzykwas

This comment has been minimized.

Copy link
Member

krzykwas commented Oct 12, 2018

@michael34435 gke-managed-certs won't work with current GKE, because Ingress in current GKE lacks support for ManagedCertificate CR. The pull request mentioned above needs to be merged first.

Despite the name, gke-managed-certs will work in any k8s cluster using GCLB, it's not limited to GKE clusters, however the pull request to Ingress is required anyway.

@michael34435

This comment has been minimized.

Copy link

michael34435 commented Oct 12, 2018

Ok, I got it.
Thank you for your explanation

@fmacelw

This comment has been minimized.

Copy link

fmacelw commented Oct 31, 2018

@krzykwas I'm pretty excited about this project as well! Great work! your PR kubernetes/ingress-gce#508 seems to have been approved and merged now - how long should we wait until it will be rolled out into the GCP / GKE infra? And do we need ingress / load balancers to be recreated? I think it would beneficial if you state more clearly in the README the current project status and its dependencies to work properly to ensure people have the right expectations - this project would be a huge time saver going forward, but I'm concerned early adopters may decide not to use it or leave bad reviews just because have the wrong expectations (e..g to be 100% working now)

@michael34435

This comment has been minimized.

Copy link

michael34435 commented Nov 7, 2018

Hi, @fmacelw According to the release notes provided by ingress-gce, I guess we'll see it in the next GKE version

@krzykwas

This comment has been minimized.

Copy link
Member

krzykwas commented Nov 8, 2018

Sorry for a delayed response.

Managed certificates should already work with Ingress v1.4.0 in GCP, you need to just switch a feature flag to enable them.

Once managed certificates are available in GKE, it will be announced through official GKE channels. I'd like not to announce the GKE part here. The GKE release, once it happens, will be in alpha clusters, as this is an alpha feature.

There may be some incompatibility issues I'm not aware of, but it seems to me that it should not be required to recreate Ingress objects.

This is an alpha version. Enabling managed certificates will cause a downtime, because there is yet no support for no-downtime migration from other types of certificates supported by Ingress (pre-shared-cert/k8s secrets). It means that until a managed certificate is provisioned, HTTPS will be down.

@bluecmd

This comment has been minimized.

Copy link

bluecmd commented Dec 9, 2018

I was very excited when I found this repository - and it seems like the managed certificate is created but is stuck in FAILED_NOT_VISIBLE due to not being added to the GCLB. I guess this is because this controller is not ready? I didn't find any references in the code to mutating the ingress to actually use the SSL certificate created, but I'm probably missing something.

Maybe a note could be added to the README specifying that this does not work yet without using GKE version TBD, etc?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment