Solved: Unable to connect to GKE-hosted web server w/ http...

smoolio76 · 04-02-2024 09:50 PM

Hello,

I have set up a chat server for my lab group (via Rocket Chat helm chart) and it seems to be working fine and I am able to connect to it via my domain, but only http.

The page is not able to resolve via https (so I can't actually link w/ our company auth to have us sign in)

My ingress has an https proxy that is associated w/ the google-managed cert but when I run "describe" against my cert it is stuck like this :

Certificate Status: Provisioning
Domain Status:
Domain: example.mydomain
Status: FailedNotVisible

I had done this yesterday and it was stuck for 12 hours, and so I deleted and tried again later - same issue so I don't think it's just me being impatient.

These are the config options I used in deploying my ingress (w/ the rocket chat helm chart -hopefully doesnt affect things)

annotations:

kubernetes.io/ingress.global-static-ip-name: chat-ip
networking.gke.io/managed-certificates: my-chat-cert
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.allow-http: "true"
no other non-general specs

and this is the service config my app is using:
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 8080

This is teh load balancer associated w/ my ingress:

Classic Application Load Balancer

Frontend

ProtocolIP:PortCertificateSSL PolicyNetwork Tier

HTTP	chat-ip	-		Premium
HTTPS	chat-ip	my-chat-cert	GCP default	Premium

Host and path rules

HostsPathsBackend

All unmatched (default)	All unmatched (default)	default-http-backend-80
*	/*	my-app-80
*	/*	kube-system-default-http-backend-80

Backend services

1.kube-system-default-http-backend-80

Endpoint protocolHTTP

Timeout30 seconds

Health check kube-system-default-http-backend-80

Cloud CDNDisabled

LoggingEnabled (sample rate: 1)

Session affinityNone

Connection draining timeout0 seconds

Backend security policyNone

Edge security policyNone

Identity-Aware ProxyDisabled

Backends

NameTypeScopeHealthyAutoscalingBalancing modeCapacity

kube-system-default-http-backend-80

Zonal network endpoint group

my-scope

1 of 1

No configuration

Max RPS: 1 (per endpoint)

100%

2. my-app-80

Endpoint protocolHTTP

Timeout30 seconds

Health check my-app-80

Cloud CDNDisabled

LoggingEnabled (sample rate: 1)

Session affinityNone

Connection draining timeout0 seconds

Backend security policyNone

Edge security policyNone

Identity-Aware ProxyDisabled

Backends

NameTypeScopeHealthyAutoscalingBalancing modeCapacity

my-app-80

Zonal network endpoint group

my-scope

1 of 1

No configuration

Max RPS: 1 (per endpoint)

100%

App-specific names obscured for obv reasons. Please bear with me as I am a complete beginner when it comes to networking like this (I sincerely did not realize it could be so complicated to host a simple web server on the internet). I notice none of these frontend/backends have the https port? could that be the issue?

My domain is registered with squarespace, but I am using cloudflare for DNS, i have end to end encryption enabled and, once again, i am able to connect via my domain w/ http.

thank you for any help - sincerely been stuck on this for two days with no progress and it's important that i have this up and runnign soon (more like two days ago haha)

smoolio76

Hi! Thank you, I ended up figuring it out. I think there were two issues:

my Ingress wasn’t being classed properly as “gce” unless I specified it in spec.ingressClassName (NOT annotations.kubernetes.io/ingressClass), so it wasn’t able to use my google managed cert

i had my domain on cloudflare set to proxy my IP address, so I don’t believe whatever magic is used to verify my domain could resolve my IP properly.

thank you for your help! And hopefully if anyone else has a similar issue, here’s two things to look out for

View solution in original post

Marvin_Lucero

Hi @smoolio76 ,

By the looks of it, the managed certificate is not being provisioned correctly, which causes the HTTPS connection to fail. To gather more information about this, check first the status of the managed cert. Use the command below for more information about its status :

kubectl describe managedcertificate my-chat-cert

You can also check your domain's DNS records and make sure they are pointing to the correct IP address. You can use a tool like dig or nslookup to check the DNS records for your domain. The IP address should match the IP address of your load balancer.

Lastly, it may have something to do with the ingress configuration. Check if it is using the correct managed certificate. Below is my sample yaml.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: chat-ip
    networking.gke.io/managed-certificates: my-chat-cert
spec:
  rules:
  - host: example.mydomain
    http:
      paths:
      - pathType: ImplementationSpecific
        path: /*
        backend:
          service:
            name: my-app-80
            port:
              number: 80

Let me know if this helps.

smoolio76

Hi! Thank you, I ended up figuring it out. I think there were two issues:

my Ingress wasn’t being classed properly as “gce” unless I specified it in spec.ingressClassName (NOT annotations.kubernetes.io/ingressClass), so it wasn’t able to use my google managed cert

i had my domain on cloudflare set to proxy my IP address, so I don’t believe whatever magic is used to verify my domain could resolve my IP properly.

thank you for your help! And hopefully if anyone else has a similar issue, here’s two things to look out for

Unable to connect to GKE-hosted web server w/ https (google-managed cert)

Frontend

Host and path rules

Backend services

1.kube-system-default-http-backend-80

Backends

2. my-app-80

Backends