0

I have a GCP Internal private IP GKE cluster that has multiple services that we support. I am attempting to setup an ingress to support these multiple services over TLS. This is based on the following GCP documentation located here https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balance-ingress and here https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl

Here is my example ingress:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  namespace: myns
  annotations:
    #kubernetes.io/ingress.class: nginx
    kubernetes.io/ingress.class: "gce-internal" # Sets for internal IP's
    kubernetes.io/ingress.allow-http: "false"
spec:
  tls:
    - secretName: service1-api.us.corp
    - secretName: service2-api.us.corp
  rules:
    - host: service1-api.us.corp
      http:
        paths:
        - backend:
            serviceName: service1-api-service
            servicePort: 443
    - host: service2-api.us.corp
      http:
        paths:
        - backend:
            serviceName: service2-api-service
            servicePort: 443

Here is an example of one of the services

apiVersion: v1
kind: Service
metadata:
  name: service1-api-service
  namespace: myns
  annotations:
    #cloud.google.com/load-balancer-type: "Internal"
    cloud.google.com/neg: '{"ingress": true}'
  labels:
    app-name: service1-api
spec:
  #type: LoadBalancer
  #loadBalancerIP: 172.28.11.140
  selector:
    app-type: restful-api
    app-name: service1-api
  ports:
    - protocol: TCP
      name: https
      port: 443
      targetPort: 80
  type: NodePort
  #type: ClusterIP

I have gone through the process of setting up TLS certs inside of secrets. However, when deploying the ingress, I get the following error:

Error during sync: error running load balancer syncing routine: loadbalancer xxxxxxxx-myns-my-ingress-xxxxxxxx does not exist: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/beta/projects/myproject/regions/us-east4/targetHttpsProxies/k8s2-ts-xxxxxxxx-myns-my-ingress-xxxxxxxx'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule., invalid

Based on the documentation, since the load balancer is auto-generated, I am at a loss on how to correct this issue.

thxmike
  • 153
  • 1
  • 11
  • _"A reserved and active subnetwork is required in the same region and VPC as the forwarding rule., invalid"_ - Is this the end of the error message ? – mario Oct 05 '20 at 21:09
  • @mario, To answer your question "yes" It is the end of the message – thxmike Oct 08 '20 at 02:38

2 Answers2

3

In the Troubleshooting section is mentioned this:

Verifying that proxy-only subnet is created before creating Ingress so as to avoid any sync errors while deploying Ingress.

After I create the proxy-only subnet, as described here, all started to work.

jtyr
  • 131
  • 1
0

I have the same problem even when using ingress.gcp.kubernetes.io/pre-shared-cert. I can see the targetHttpsProxies:

$ gcloud compute target-https-proxies list

but describe fails:

$ gcloud compute target-https-proxies describe k8s2-ts-xxxxxxxx-myns-myingress-xxxxxxxx
ERROR: (gcloud.compute.target-https-proxies.describe) Could not fetch resource:
 - The resource 'projects/myproject/global/targetHttpsProxies/k8s2-ts-xxxxxxxx-myns-myingress-xxxxxxxx' was not found

That's probably the reason why it all fails.

jtyr
  • 131
  • 1