0

I have read a bunch of SO posts, articles and docs on GCP for this subject but I'm still confused, mainly because I'm not a devOps person. I imagine using GCP's Console, I can click a few things, upload some certs and viola!, my API is running on HTTPS.

This post made me understand a little more about Ingress, but I also read on articles that using ClusterIP is not good for security. So I'm looking to keep using the Load Balancer type while adding HTTPS support without going into a terminal. Is that possible?

EDIT 1:

I stumbled upon the Load Balancing product from GCP and started researching it. To my knowledge, this would conceptually be perfect but I can't quite get it working. My steps are:

  • Creating a Load Balancer
  • Creating a backend service for that LB that points to the Compute Engine VM that GKE is running on
  • Creating a frontend service that gave me a static IP address
  • Setting an A-record on my DNS provider for that IP address

But I still get the error The server encountered a temporary error and could not complete your request when trying to visit my domain name on the browser, which tells me that somehow my load balancer is probably working but it's connected to my docker application node in GKE.

Does anyone know how I can connect the Load Balancing product with HTTPS to GKE? Or my original question, how to get GKE using HTTPS at all?

EDIT 2: I ended up finding specific steps in the docs for setting up Ingress here (Step 2b). Setting it up worked but now I'm having trouble with unhealthy backend services.

EDIT 3 Per many discussions for UNHEALTHY backend services. I have tried to add livenessprobe and readinessprobe to my deployment yaml file like so:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "4"
  creationTimestamp: 2019-06-13T00:46:01Z
  generation: 4
  labels:
    app: video-api-alpha
  name: video-api-alpha
  namespace: video-api
  resourceVersion: "926307"
  selfLink: /apis/extensions/v1beta1/namespaces/video-api/deployments/video-api-alpha
  uid: 9dd774ae-8d74-11e9-aec9-42010af0024b
spec:
  progressDeadlineSeconds: 2147483647
  replicas: 3
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: video-api-alpha
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: video-api-alpha
    spec:
      containers:
      - image: gcr.io/mc-service-video/service-video:alpha
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthcheck
            port: 8080
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: service-video-sha256
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthcheck
            port: 8080
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 3
  conditions:
  - lastTransitionTime: 2019-06-13T00:46:03Z
    lastUpdateTime: 2019-06-13T00:46:03Z
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  observedGeneration: 4
  readyReplicas: 3
  replicas: 3
  updatedReplicas: 3

But still no luck. Any ideas?

Martavis P.
  • 1,708
  • 2
  • 27
  • 45
  • Have you added a certificate to the load balancer? You need to do that to get HTTPS working - but I've found that pretty easy with [managed certificates](https://cloud.google.com/load-balancing/docs/ssl-certificates#managed-certs) - currently in beta. For nodatime.org, I'm just using an Ingress (effectively GCLB) connecting to services of type NodePort. – Jon Skeet Jun 13 '19 at 06:37
  • Yes I added the certificates. Also, I just found concrete steps in the docs that helped me create the Ingress here https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip (Step 2b). Now I'm getting an error of unhealthy backend services. Trying to figure it out now. – Martavis P. Jun 13 '19 at 07:53
  • Is it possible that your service redirects from HTTP to HTTPS? If so, the HTTP health checks may be failing. I ran into that. You might find my blog post useful: https://codeblog.jonskeet.uk/2019/03/17/hosting-asp-net-core-behind-https-in-google-kubernetes-engine/ – Jon Skeet Jun 13 '19 at 09:16
  • How would I know that the service redirects? – Martavis P. Jun 14 '19 at 00:37
  • I'd expect that to be part of your application code. We don't know anything about what your service does. – Jon Skeet Jun 14 '19 at 06:21
  • @MartavisP. I'd like to reproduce your case. Can you share your service, ingress, ingress controller (if you use any) manifests for that. – A_Suh Jun 14 '19 at 10:26
  • @JonSkeet I didn't realize you meant the app. No, there is no redirecting. – Martavis P. Jun 14 '19 at 10:51

1 Answers1

0

If you are exposing an HTTP(S) service hosted on GKE, HTTP(S) load balancing is the recommended method for load balancing.

https://cloud.google.com/load-balancing/docs/https/

Kervin L
  • 474
  • 4
  • 5