Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot Disable HTTP when using managed-certificates. Results in infinite Creating ingress and 'no frontend configuration' #738

Closed
jakebolam opened this issue Apr 21, 2019 · 6 comments
Closed

Cannot Disable HTTP when using managed-certificates. Results in infinite Creating ingress and 'no frontend configuration' #738

jakebolam opened this issue Apr 21, 2019 · 6 comments
Assignees
@rramkumar1

Comments

@jakebolam
Copy link

jakebolam commented Apr 21, 2019
edited
Loading

Cannot Disable HTTP when using managed-certificates

When specifying the flag kubernetes.io/ingress.allow-http: "false" the ingress is never created, remains stuck in Creating ingress. Removing this annotation successfully completes the creation.

Versions

Kubernetes master/node-kube version: 1.12.6-gke.10

Additional Details:

The load balancer has the error This load balancer has no frontend configured
Hitting the HTTPS gateway results in unexpectedly closed the connection.
Hitting the HTTP gateway results in a google engine error page.

Configuration

apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: api-certifcate
spec:
  domains:
    - example.com
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: "web-static-ip"
    networking.gke.io/managed-certificates: api-certifcate
spec:
  rules:
    - http:
        paths:
          - path: /my-service/*
            backend:
              serviceName: my-service
              servicePort: 8080
@jakebolam jakebolam changed the title setting ingress.allow-http false results in 'no frontend configuration' Cannot Disable HTTP when using managed-certificates results in 'no frontend configuration' Apr 21, 2019
@jakebolam jakebolam changed the title Cannot Disable HTTP when using managed-certificates results in 'no frontend configuration' Cannot Disable HTTP when using managed-certificates. Results in infinite Creating ingress and 'no frontend configuration' Apr 21, 2019
@jakebolam jakebolam mentioned this issue Apr 22, 2019
Closed
@rramkumar1
Copy link
Contributor

@jakebolam Thanks for filing the issue, this looks like a bug. The code [1] which decides whether to setup the HTTPS resources given the value of "allow-http" does not seem to take into account whether the user has configured SSL via Managed Certificates.

The fix should be straightforward and will be available in our next patch release.

[1] https://github.com/kubernetes/ingress-gce/blob/master/pkg/loadbalancers/l7.go#L138

/kind bug

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Apr 22, 2019
@rramkumar1 rramkumar1 self-assigned this Apr 22, 2019
@jakebolam
Copy link
Author

@rramkumar1 no worries thanks for the fast response, the ingress has been performant and great for us, keep it up

@rramkumar1
Copy link
Contributor

@jakebolam Actually now that the more I ponder this, the more I think this is WAI. Here the is reasoning:

Adding the "networking.gke.io/managed-certificates" annotation to your Ingress does not attach a cert to your Ingress. All its doing is displaying intent for a cert to be added. It's possible that the controller which reconciles ManagedCertificate resources fails to create the actual GCP cert, in which case no actual cert will be attached to your Ingress (via the "pre-shared-cert" annotation). Therefore, we (as in ingress-gce) can't setup HTTPS resources until we know that the cert you intended to be attached is actually attached. Otherwise, where will we get the cert from?

So, my recommendation would be to first verify that your Ingress is serving HTTPS and then set allow-http to "false".

Does this makes sense? I'm going to go ahead and close this out but feel free to reopen if you have more questions.

/close

@k8s-ci-robot
Copy link
Contributor

@rramkumar1: Closing this issue.

In response to this:

@jakebolam Actually now that the more I ponder this, the more I think this is WAI. Here the is reasoning:

Adding the "networking.gke.io/managed-certificates" annotation to your Ingress does not attach a cert to your Ingress. All its doing is displaying intent for a cert to be added. It's possible that the controller which reconciles ManagedCertificate resources fails to create the actual GCP cert, in which case no actual cert will be attached to your Ingress (via the "pre-shared-cert" annotation). Therefore, we (as in ingress-gce) can't setup HTTPS resources until we know that the cert you intended to be attached is actually attached. Otherwise, where will we get the cert from?

So, my recommendation would be to first verify that your Ingress is serving HTTPS and then set allow-http to "false".

Does this makes sense? I'm going to go ahead and close this out but feel free to reopen if you have more questions.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rramkumar1 rramkumar1 removed the kind/bug Categorizes issue or PR as related to a bug. label Apr 25, 2019
@jakebolam
Copy link
Author

Thanks for looking into this @rramkumar1. We've moved back to using pre-shared-certs for now.

Hopefully in the future Managed Certificates and the Ingress will be able to play nicer together.

@jakebolam jakebolam mentioned this issue Jun 1, 2019
Closed
@jakebolam
Copy link
Author

@rramkumar1 GKE Manged Certs are working again and was unable to get HTTP to shut off. Created a new issue for this: #764

@cr8on cr8on mentioned this issue Jan 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rramkumar1 rramkumar1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jakebolam @k8s-ci-robot @rramkumar1