Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Managed certificate is ignored #21

Closed
qbast opened this issue Apr 17, 2019 · 21 comments
Closed

Managed certificate is ignored #21

qbast opened this issue Apr 17, 2019 · 21 comments

Comments

@qbast
Copy link

qbast commented Apr 17, 2019

Hello

I created fresh GKE cluster with version 1.12.6-gke.10.
Then I followed the howto : creating managedcertificate, service, ingress, external ip and DNS name all worked fine.
I also verified that domain name resolves to IP of the load balancer.

However after LB is created, nothing happens: kubectl describe managedcertificate shows 'Events: ' . LB is listening only on port 80.
Is there any way to debug this?

@Cidan
Copy link

Cidan commented Apr 18, 2019

+1, using GKE 1.12.6-gke.10, the setup instructions here do not work. The resources are submitted, but the managed cert sits in a perpetually stuck state, with events reading nothing/blank, and no status set. I additionally do not see a managed cert provisioned on GCP it self.

@qbast
Copy link
Author

qbast commented Apr 18, 2019

I retested it with version 1.12.7-gke.7 . The same problem.
It works however with 1.12.6-gke.7 . So something must have changed between 1.12.6-gke.7 and 1.12.6-gke.10

@krzykwas
Copy link
Member

In GKE we have identified an issue with regional clusters, where managed certificates would behave in the way you've described. Are these regional clusters?

The fix at earliest could be deployed in production at the end of April.

Meanwhile you could deploy the controller from this github repository in your cluster as a mitigation before a fix is deployed.

@qbast
Copy link
Author

qbast commented Apr 18, 2019

This explains things - all my non-working clusters were regional and the one where it worked was zonal. Thanks for the hint, I will use the controller

@qbast qbast closed this as completed Apr 18, 2019
@qbast qbast reopened this Apr 18, 2019
@Cidan
Copy link

Cidan commented Apr 18, 2019

Yes, same here. The cluster I'm running are regional. Thanks :)

@jakebolam
Copy link

jakebolam commented Apr 22, 2019

This is happening for me to, regional cluster.

I initially believed this was due to: kubernetes/ingress-gce#738

@jakebolam
Copy link

The workaround didn't work for us. We've moved back to providing our certs for now.

@jakebolam
Copy link

The workaround was failing due to #18

@jjhuff
Copy link

jjhuff commented Apr 30, 2019

@krzykwas Any update on the fix? Users are rather stuck. The built in stuff doesn't work with regional, and this project crash-loops.

@alexdianomi
Copy link

The thing meant to avoid the matrix from hell, has it's own matrix from hell

@reynaldiwijaya
Copy link

may i know if there is any timeline for the actual release / implementation in GKE cluster ?

@matti
Copy link

matti commented May 11, 2019

see #18 for update on workaround

@drwxmrrs
Copy link

I had this working a few days ago which is really odd.

@qbast I assume you mean 1.12.6-gke.7 for the node versions?

Can't select that version for master from what I can see in GKE.

@davidgolub
Copy link

I'm having the same issue. This is the error message I get when accessing the https endpoint from the browser. Does someone have a clear workaround I can use?

image

@drwxmrrs
Copy link

drwxmrrs commented May 19, 2019 via email

@matti
Copy link

matti commented May 20, 2019

yep, sometimes it takes max(10min)

@rvdh
Copy link

rvdh commented May 20, 2019

Still experiencing this issue on a regional v1.12.7-gke.10 cluster. @krzykwas any update on when a fix will be deployed?

@krzykwas
Copy link
Member

The regional cluster issue is fixed in 1.12.7-gke.17 released the previous week.

@reynaldiwijaya
Copy link

Yeah, upgraded and works smoothly

@JohannesRudolph
Copy link

Upgrading to 1.12.7-gke.17 worked for me too, however the cert took about 15 minutes to fix SSL protocol errors as descibred by @davidgolub

@jakebolam
Copy link

Upgraded, and back online. Thanks for getting this done 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests