Starting with the last question first: > Any ideas as to what I am doing wrong?
Yes - You're trying to do it all yourself instead of relying on the pieces that have already been built and tested :) On Mon, Nov 6, 2017 at 9:49 AM, bg303 <griffin...@gmail.com> wrote: > I recently tried to put SSL on a service by deploying an Ingress and a > Ingress controller, but ultimately I do not think that is what I want. > > I think I just want to have a Google Cloud HTTPS Load Balancer and just > declare a service like this: > > --- > apiVersion: v1 > kind: Service > metadata: > name: api > labels: > app: api > spec: > type: LoadBalancer > loadBalancerIP: <Static IP in Google Cloud> > ports: > - port: 443 > targetPort: 8090 > protocol: TCP > name: https > selector: > app: api This is not going to work the way you want. The `type: LoadBalancer` plus `loadBalancerIP` field is going to try to allocate a Google Network LB with that IP. In general, Service == Network LB (L4) and Ingress == HTTP LB (L7). Network LB is VIP-like. HTTP LB is Proxy-like. > Here are the steps I went through to try to achieve this: > > 1. Upload my SSL cert > gcloud compute ssl-certificates create star --certificate my.crt > --private-key my.key > > 2. Create a static IP address > > 3. Create a Load Balancer > I created an HTTPS load balancer with a backend pointing to my cluster on > port 8090. I created a frontend using my static IP address, port 443, using > my cert. If you really want to do this manually, set the Service to `type=NodePort` and aim your HTTP LB at the NodePort. But you get to maintain the IGs that back it, and we can't make any guarantees about that working over time - you're going to end up manipulating managed GCP resources in ways we can't predict or understand. This is, more or less, EXACTLY what the Google LB controller is doing for you, when you make an Ingress, except that is code that we maintain and test, so we know it works. Tim > 4. Assign my Service's loadBalancerIP to that of my static IP. > > When I run `kubectl get services` I'm shown: > > NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE > api 10.21.25.24 <pending> 443:32606/TCP 43m > > > When I load https://mysite.com (pointing to my static IP), I get this in the > browser: > > Error: Server Error > > The server encountered a temporary error and could not complete your request. > Please try again in 30 seconds. > > when I run `gcloud compute forwarding-rules list` I get this: > > NAME REGION IP_ADDRESS IP_PROTOCOL TARGET > api-fe <static IP> TCP api-lb-target-proxy > > > Any ideas as to what I am doing wrong? I cannot tell if my error is my > Kubernetes architecture or in the way I provisioned by Google Cloud > LoadBalancer. -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.