0

I am using GKE Identity-aware proxy > L7 load balancer > Custom host and path rules. It works fine for the root-path. But it does not work for custom paths.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: basic-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-static-ip"
spec:
  rules:
  - host: my.custom.org
    http:
      paths:
      - path: /v1/*
        backend:
          serviceName: webv1
          servicePort: 8080
      - path: /v3/*
        backend:
          serviceName: webv3
          servicePort: 8080
      - path: /nginx/*
        backend:
          serviceName: nginx
          servicePort: 80
      - path: /*
        backend:
          serviceName: nginx
          servicePort: 80

Path / and /nginx/ works fine. /v2/ and /v3/ throws There was a problem with your request. Error code 11.

If I disable the IAP, everything works fine.

Environment:

  • Kubernetes version (use kubectl version): 1.12.7-gke.17

  • Cloud provider or hardware configuration: GKE

Setting up HTTP Load Balancing with Ingress @ https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer

Enabling Cloud IAP for GKE @ https://cloud.google.com/iap/docs/enabling-kubernetes-howto

Saad Bin Shahid
  • 334
  • 3
  • 14

1 Answers1

0

This error code 11 is related to a misconfiguration of the OAuth client ID1.

I see that you the failing one are using a different serviceport. If you are serving the following 2 URLs from two different backends both may have IAP enabled but configured with different clientIds.

As of GCP does not support different clientIds for different paths, and the effort for IAP to use a single clientId across b/e services is underway. For now, if you can verify the clientId, and change it to a single one if they are different, that would work.

The recommended approach would be setting up an NGINX proxy. The ingress + IAP only have one service to deal with instead of two, and it will work like a charm.

Community
  • 1
  • 1
Lozano
  • 170
  • 6
  • Thanks Lozano! Can you please tell me if support for different clientIds for different paths is coming anytime soon? or can you give any ETA at all. – Saad Bin Shahid May 29 '19 at 15:47
  • I've created a public feature request with your feedback to give more attention to this matter. Feel free to add any information and click on the start to receive news about it. Unfortunately there is no ETA. Here is the link: https://issuetracker.google.com/134037406 – Lozano May 30 '19 at 09:29