1

I created an ingress for a GKE cluster providing a SSL certificate. Now that ingress presents two IP adresses, one with HTTP with a port :80 and another one with HTTPS with a port 443. The problem is that when visiting the HTTPS one, it still shows NOT SECURE. I created this diagram in order to explain my architecture. Many many thanks for any advice. https://docs.google.com/drawings/d/1JLTlIFwwxNN7NK66dxM6rqhIOUQukVuFvMTRx7UGPK4/edit

Here the YAML

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/backends: '{"k8s-be-XXXXX--XXXXXXXXXXXXXXXX":"HEALTHY"}'
    ingress.kubernetes.io/forwarding-rule: k8s-fw-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX-ingress--XXXXXXXXXXXXXXXX
    ingress.kubernetes.io/https-forwarding-rule: k8s-fws-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX-ingress--XXXXXXXXXXXXXXXX
    ingress.kubernetes.io/https-target-proxy: k8s-tps-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX-ingress--XXXXXXXXXXXXXXXX
    ingress.kubernetes.io/ssl-cert: k8s-ssl-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX--XXXXXXXXXXXXXXXX
    ingress.kubernetes.io/static-ip: k8s-fw-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX-ingress--XXXXXXXXXXXXXXXX
    ingress.kubernetes.io/target-proxy: k8s-tp-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX-ingress--XXXXXXXXXXXXXXXX
    ingress.kubernetes.io/url-map: k8s-um-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX-ingress--XXXXXXXXXXXXXXXX
  creationTimestamp: "2020-10-14T05:58:37Z"
  finalizers:
  - networking.gke.io/ingress-finalizer
  generation: 1
  name: XXXXXXXXXXXXXXXX-ingress
  namespace: XXXXXXXXXXXXXXXX
  resourceVersion: "XXXXXXXXXXXXXXXX"
  selfLink: /apis/extensions/v1beta1/namespaces/XXXXXXXXXXXXXXXX/ingresses/XXXXXXXXXXXXXXXX-ingress
  uid: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
spec:
  backend:
    serviceName: XXXXXXXXXXXXXXXX-service
    servicePort: 80
  tls:
  - secretName: XXXXXXXXXXXXXXXX-certificate
status:
  loadBalancer:
    ingress:
    - ip: XXXXXXXXXXXXXXXX
robimalco
  • 11
  • 2
  • 1.You use gke ingress or another one, like [kubernetes nginx ingress](https://github.com/kubernetes/ingress-nginx)? 2.What you mean by `Now that ingress presents two IP adresses`? 3.Have you followed any [tutorial](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) for ssl certificates?? 4.Could you add your ingress yaml? – Jakub Oct 15 '20 at 09:22
  • Hi, thanks for your answer! 1. I am using GKE ingress. 2. If I go inside my load balancer HTTPs details, it shows 2 frontend protocols: the first one has HTTPS with port 443 and a certificate, the second one has HTTP port 80 and no certificate. 3. Yes that page, I created a Self-managed certificates shared with Google Cloud using OpenSSL. 4. I am adding the YAML as answer below – robimalco Oct 20 '20 at 07:48
  • Inspect the certificate in your browser. It tell you exactly why it is not secure. – Gerald Schneider Oct 20 '20 at 07:55
  • Could you please check and tell me what is the message if you use `curl -vvI https://ip`? If you enter this ip with a chrome browser do you get `Your connection is not private - Back to Safety`? – Jakub Oct 22 '20 at 07:04
  • I managed to create a ManagedCertificate as well as an ingress using CLI. Despite having a load balancer with protocol HTTPS, my website is reachable only with HTTP. If i run ``` curl -vvI https://ip``` I obtain: ``` curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure ``` – robimalco Oct 22 '20 at 07:42
  • 1
    Ok It finally worked, I had to wait a few minutes before having finally the HTTPS. THis is the tutorial I followed skipping the point number 2 (Create a NodePort Service), https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs#gcloud – robimalco Oct 22 '20 at 08:02
  • 1
    Many many thanks Jakub and Gerald! – robimalco Oct 22 '20 at 08:03

1 Answers1

0

Posting this as a community answer with summary of our comments for better visibility.

Issue

Https didn't work on gke with gke ingress.

Solution

The answer here would be to just wait, as it may take up to few minutes for the load balancer to work properly.

As mentioned by @robimalco

I had to wait a few minutes before having finally the HTTPS. This is the tutorial I followed

That's also pointed in point 3 of above tutorial.

Note: It may take up to 10-20 minutes for the load balancer to begin functioning.

Jakub
  • 365
  • 1
  • 9