1

I know that Ingress requires a service in an healthy state in order to serve its contents through HTTP(S) and to do so I configured a ReadinessProbe on my workload deployment:

        readinessProbe:
          failureThreshold: 10
          httpGet:
            path: /api/healthz
            port: 4400
            scheme: HTTPS
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 20

Essentially, I have a webserver that serves HTTPS requests on port 4400 and I configured a healthz resource to return an HTTP 200 response. My webserver is listening for incoming connections on ports:

  • HTTP -> 4300
  • HTTPS -> 4400

Now, in order to access those ports I have a GKE Service (myService) that targets the webserver and in particular:

  ports:
  - name: port-1
    nodePort: 31277
    port: 80
    protocol: TCP
    targetPort: 4300
  - name: port-2
    nodePort: 32167
    port: 443
    protocol: TCP
    targetPort: 4400

Now, if I create a new Ingress service (myIngress) related to myService GCP gives me back this Kubernetes configuration:

spec:
  backend:
    serviceName: my-service
    servicePort: port-2
  rules:
 - host: test-domain-name-here.net
    http:
      paths:
      - backend:
          serviceName: my-service
          servicePort: port-2
  tls:
 - secretName: letsencrypt-custom-cert

As you can see here it's targeting the servicePort port-2:

enter image description here

GKE created (automatically) a new backend service for this ingress configuration named k8s-be-32167--XXXX, which targets the port-2 32167, and most importantly a Default kubernetes L7 Loadbalancing health check that should monitor the health status - the readiness - of the service.

The problem is that this health check should test the port 32167 using HTTPS and not HTTP and whenever I try to set this health check for HTTPS after a couple of minutes GCP resets everything to its defaults which is utterly annoying!!!

sentenza
  • 115
  • 6
  • On HTTP->HTTPS traffic redirection: https://stackoverflow.com/q/49667738/1977778, https://stackoverflow.com/a/37126128/1977778, https://blog.realkinetic.com/http-to-https-using-google-cloud-load-balancer-dda57ac97c – sentenza Aug 20 '19 at 09:27

1 Answers1

2

Currently target pools only allow HTTP health checks, and the legacy style at that, you can take a look into this documentation that shows the health check concepts and protocols allowed.

Also, I found this issue tracker where you can follow up and put your comments to know when HTTPS is going to be allowed / supported for health checks.

Agustin Lopez
  • 71
  • 2
  • Thank you @Augustin. At the end I configured Ingress to target primarily HTTP (port 80), and the health check created by GCP is now checking my WS through HTTP. It's also serving HTTPS correctly, but in my opinion this approach is very confusing for the end users. For instance, the health check configuration UI lets you choose between HTTPS and HTTP. They should, at the very least, add a warning explaining that this is not going to work. – sentenza Aug 20 '19 at 08:47