Comments (12)
From @sebbov on September 15, 2017 16:54
+1 I also hit this issue and was at a loss to find out what the issue was. The target proxy and global forwarding rule would just not be created. Users should have visibility into any errors in ingress => GCP object creation pipeline.
FWIW, in my case, the TLS secret did exist in the correct namespace, but because of the way I had created it, a botched attempt at copying it from another cluster's secret, it was in an incorrect state.
from ingress-gce.
From @tonglil on May 8, 2017 21:50
Ok, so there are a few things here that result in you seeing what you see.
Firstly, kube-lego needs to be install in your cluster for the tls-acme
annotation to work (for getting a cert from letsencrypt).
Secondly, because there is no cert in the cluster (from kube-lego) AND http is disabled, then no front-end will be created.
Once you allow http by setting ingress.allow-http
to true (default setting), then it will create the http front end, but again, kube-lego is not setup to create the cert for the https front end.
@nicksardo if you are comfortable, I would like to contribute to this repository by labeling issues nginx or gce.
from ingress-gce.
From @nicksardo on May 8, 2017 22:6
@tonglil Correct me if I'm wrong, but I believe for labeling power you must be an org member and get write permission for the repo. With the start of the governance, I think all org changes are frozen for the time being.
from ingress-gce.
From @tonglil on May 8, 2017 22:14
Gotcha, no worries. Happy to apply again another time.
from ingress-gce.
From @pijusn on May 9, 2017 4:33
@tonglil I actually used a self-signed certificate. See (you can also find it in the Shell script I pasted earlier):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/C=LT"
kubectl create secret tls echoserver-tls --key /tmp/tls.key --cert /tmp/tls.crt
I would expect Kubernetes not to depend on kube-lego. To be specific, I would expect it to create an HTTPS frontend with the provided certificate even if it's not trusted, is issued for a different domain or whatever.
I now know that kube-lego does not support it but (correct me if I'm wrong) ACME server ignores certificate when using HTTPS. That's a nice way to kick-start LB setup. To achieve it, ingress controller should support such scenarios.
from ingress-gce.
From @tonglil on May 9, 2017 5:12
@pijusn oops, sorry I missed that part.
What happens if you do this:
spec:
tls:
- - hosts:
- - echo.pijusn.eu
- secretName: echoserver-tls
+ - secretName: echoserver-tls
You can also see if there are any events emitted by the Ingress with kubectl describe ingress echoserver
.
from ingress-gce.
From @nicksardo on May 9, 2017 5:37
I'm betting you're creating the secret in the default
namespace but the ingress exists in echoserver
. It really should be surfaced as an event when the tls cert cannot be fetched.
from ingress-gce.
From @pijusn on May 9, 2017 6:10
@nicksardo I think you are right. That would certainly make sense. I will verify it some time this week. Thank you for pointing it out.
from ingress-gce.
From @nicksardo on May 10, 2017 17:16
Let's use this issue to track surfacing an event when cert lookup fails.
In the future, stack overflow would be a better medium for this question.
from ingress-gce.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or @fejta
.
/lifecycle stale
from ingress-gce.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale
from ingress-gce.
/close
from ingress-gce.
Related Issues (20)
- MultiClusterService CDN TTL configs ignored
- Annotations to headers in security
- [glbc] Only watch pods hostNetwork=false or having container ports specified HOT 4
- MultiClusterService: max-rate HOT 7
- Support for cloudcdn cache key based on Header in backendconfig HOT 4
- Slowness of throughput when URLs are switched between ingresses HOT 8
- Images should be published to community registry HOT 8
- 502 on access after deploying the app with ingress, with successful health testing HOT 3
- Is there any way to add dynamic headers to backendconfig customresponseheaders HOT 1
- Remove response header added by server HOT 5
- GCE ingress L4 Support HOT 9
- How to implement content-based health check for GKE ingress HOT 5
- Front-end mutual TLS support HOT 5
- Missing :te header using grpc on a http2 ingress HOT 4
- Cluster with virtual kubelet blocking NEG sync HOT 6
- Clarification on Best Practices for MCS with Single MCI and Intermittent 502 Errors HOT 1
- Published CRD HOT 2
- [release-1.29] Code Freeze for Ingress v1.29 release on branch:master HOT 1
- Add alternative distro images for defaultbackend
- Unexpected Automatic Creation of Network Endpoint Groups (NEG) on GKE HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-gce.