7

I'm new to GKE now am trying to creating a new cluster for RASA. I'm trying to create an ingress with HTTPS to point to a loadbalancer in this cluster. But I'm unable to select the option Create Google-managed certificate from the list. It seems to be disabled in this cluster. How enable this?

The help shows:

To create Google-managed certificates, your cluster needs to have ManagedCertificate Custom Resource Definition present.

enter image description here

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
PRAJIN PRAKASH
  • 1,366
  • 1
  • 15
  • 31
  • Did you follow this [documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs)? – guillaume blaquiere Jul 30 '20 at 19:24
  • @guillaumeblaquiere Yes I tried that way , In that we need to create yaml manually, But the GUI way is pretty much better for me. (Previously worked for me once but don't know How its enabled). – PRAJIN PRAKASH Jul 31 '20 at 06:38
  • how add ManagedCertificate Custom Resource Definition ? – PRAJIN PRAKASH Jul 31 '20 at 08:29
  • Ok, you want to add it by GUI, right? Not by using kubectl CLI, don't you? – guillaume blaquiere Jul 31 '20 at 11:23
  • Currently am added the certificate as in the documentation, but not sure how enable this option. – PRAJIN PRAKASH Jul 31 '20 at 11:58
  • Please provide information how you created this cluster and what configuration did you applied. Also your Ingress YAML configuration. – PjoterS Jul 31 '20 at 12:01
  • am trying to build RASA-X using https://github.com/rasahq/rasa-x-helm – PRAJIN PRAKASH Aug 06 '20 at 05:23
  • @PRAJINPRAKASH As I mention in my answer, to use this option in GKE UI must be in `NodePort` service type. Im not able to verify what you have in `certificate.yaml`. If you would change service type from `ClusterIP` to `NodePort` this option is visible. Did you to change this service type? – PjoterS Nov 12 '20 at 16:19
  • @PRAJIN PRAKASH, have you managed to solve this problem ? Did you follow the recommendations provided by PjoterS in his answer ? – mario Dec 01 '20 at 14:49
  • yes @mario use this for manually create certificate kubectl create -f abc-cert.yaml – PRAJIN PRAKASH Dec 02 '20 at 08:05

2 Answers2

3

Posting this community wiki answer to give more visibility on recently fixed issue of grayed out option to create Create a Google-managed certificate.

Feel free to edit and expand.

You can find the corresponding Issue on the GCP Issuetracker:

Citing the part of the message from the thread:

As I can see, this issue was already fixed. You shouldn't encounter it anymore.

Example

As stated above, this issue shouldn't show up anymore. After reproduction with the following steps:

  • Create a GKE cluster and wait for it's provisioning.
  • Create a sample workload and expose it with:
    • $ kubectl create deployment nginx --image=nginx
    • $ kubectl expose deployment nginx --port=80 --type=NodePort
  • Go to:
    • Cloud Console -> Kubernetes Engine -> Services & Ingress -> Create Ingress (after choosing nginx Service) -> Frontend configuration -> HTTPS -> Create a new certificate

The following option can be seen as available:

GOOGLE-MANAGED-CERT

Additional resources:

Dawid Kruk
  • 8,982
  • 2
  • 22
  • 45
-1

As you didn't provide the steps you're following, I will demonstrate how to do it the right way.

First of all, if you check Setting up HTTP(S) Load Balancing with Ingress, you will find information thate GKE integrated support for two types of Cloud Load Balancing:

When you specify type:LoadBalancer in the resource manifest, GKE creates a Service of type LoadBalancer.

When you specify type:Ingress in the resource manifest, you instruct GKE to create an Ingress resource. By including annotations and supporting workloads and Services, you can create a custom Ingress controller. ... The load balancer's URL map's host rules and path matchers reference one or more backend services, where each backend service corresponds to a GKE Service of type NodePort, as referenced in the Ingress

In another part of the GKE Documentation, related to Using Google-managed SSL certificates, you can find two important notes:

This feature is only available with Ingress for External HTTP(S) Load Balancing.

Managed Certificates is a Beta feature available in all GKE versions. In clusters with masters running Kubernetes lower than 1.16.5-gke.1 Managed Certificates are available in version v1beta1, and they do not support multiple subject alternative names (SANs) per certificate.

In GKE 1.16.5-gke.1 and higher Managed Certificates are available in version v1beta2 and they support up to 100 SANs per certificate, version v1beta1 is also still available.

I have tested a few scenarios including LoadBalancer and NodePort as service type. In RASA-X chart, the service is of a LoadBalancer type. In all my tests when I wanted to Create Google Managed Certificate, it worked only with NodePort.

Did you try to edit this service and change it to NodePort?

A good example to check is to follow this tutorial.

If you still experience the same issue, please provide more information about your environment and steps to reproduce the problem.

mario
  • 9,858
  • 1
  • 26
  • 42
PjoterS
  • 12,841
  • 1
  • 22
  • 54
  • Thanks for the detailed answer,I already done this by creating certificate through thecommand `kubectl apply -f certificate.yaml `, but just want to know why `Create Google-managed certificate` button still disabled. – PRAJIN PRAKASH Aug 17 '20 at 09:55
  • 1
    Did you change anything after deploying the chart? – PjoterS Aug 17 '20 at 13:52