On Monday, November 6, 2017 at 2:46:08 PM UTC-5, Tim Hockin wrote: > Starting with the last question first: > > > Any ideas as to what I am doing wrong? > > Yes - You're trying to do it all yourself instead of relying on the > pieces that have already been built and tested :) > > On Mon, Nov 6, 2017 at 9:49 AM, bg303 wrote: > > I recently tried to put SSL on a service by deploying an Ingress and a > > Ingress controller, but ultimately I do not think that is what I want. > > > > I think I just want to have a Google Cloud HTTPS Load Balancer and just > > declare a service like this: > > > > --- > > apiVersion: v1 > > kind: Service > > metadata: > > name: api > > labels: > > app: api > > spec: > > type: LoadBalancer > > loadBalancerIP: <Static IP in Google Cloud> > > ports: > > - port: 443 > > targetPort: 8090 > > protocol: TCP > > name: https > > selector: > > app: api > > This is not going to work the way you want. The `type: LoadBalancer` > plus `loadBalancerIP` field is going to try to allocate a Google > Network LB with that IP. In general, Service == Network LB (L4) and > Ingress == HTTP LB (L7). > > Network LB is VIP-like. HTTP LB is Proxy-like. > > > Here are the steps I went through to try to achieve this: > > > > 1. Upload my SSL cert > > gcloud compute ssl-certificates create star --certificate my.crt > > --private-key my.key > > > > 2. Create a static IP address > > > > 3. Create a Load Balancer > > I created an HTTPS load balancer with a backend pointing to my cluster on > > port 8090. I created a frontend using my static IP address, port 443, using > > my cert. > > If you really want to do this manually, set the Service to > `type=NodePort` and aim your HTTP LB at the NodePort. But you get to > maintain the IGs that back it, and we can't make any guarantees about > that working over time - you're going to end up manipulating managed > GCP resources in ways we can't predict or understand. > > This is, more or less, EXACTLY what the Google LB controller is doing > for you, when you make an Ingress, except that is code that we > maintain and test, so we know it works. > > Tim > > > > 4. Assign my Service's loadBalancerIP to that of my static IP. > > > > When I run `kubectl get services` I'm shown: > > > > NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE > > api 10.21.25.24 <pending> 443:32606/TCP 43m > > > > > > When I load https://mysite.com (pointing to my static IP), I get this in > > the browser: > > > > Error: Server Error > > > > The server encountered a temporary error and could not complete your > > request. > > Please try again in 30 seconds. > > > > when I run `gcloud compute forwarding-rules list` I get this: > > > > NAME REGION IP_ADDRESS IP_PROTOCOL TARGET > > api-fe <static IP> TCP api-lb-target-proxy > > > > > > Any ideas as to what I am doing wrong? I cannot tell if my error is my > > Kubernetes architecture or in the way I provisioned by Google Cloud > > LoadBalancer.
Thanks, Tim. I had issues with the ingress so I figured my goal was to remove that dependency from the infrastructure. I'll post another question about the specific issues I had with my Ingress. -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.