Problems setting up TLS for GCE Ingress controller on GKE

[Itamar O]

Hi,

I'm following [1], trying to configure GLBC on GKE with TLS.

Here's my Ingress YAML:

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  namespace: prod

  name: search-stack

spec:

  tls:

  - hosts:

    - "*.yowza3d.com"

    secretName: star-dot-yowza3d-dot-com

  backend:

    serviceName: yapi

    servicePort: api

  rules:

  - host: kapi.yowza3d.com

    http:

      paths:

      - backend:

          serviceName: yapi

          servicePort: api

  - host: ksearch.yowza3d.com

    http:

      paths:

      - backend:

          serviceName: fe

          servicePort: www

I created the secret following the instructions:

>kubectl --namespace=prod describe secret star-dot-yowza3d-dot-com

Name: star-dot-yowza3d-dot-com

Namespace: prod

Labels: <none>

Annotations: ... redacted ...

Type: Opaque

Data

====

tls.crt: 4103 bytes

tls.key: 1679 bytes

with the values for the tls.{crt,key} produced by taking my existing server.{crt.key} for "*.yowza3d.com" and piping them through `base64 -w 0`. these are valid key/crt files, as you can see by visiting the non-k8s-deployment at https://search.yowza3d.com (it's marathon+mesos served via nginx).

This Ingress definition, without the TLS section, works OK (currently serving on http://ksearch.yowza3d.com).

Adding the TLS section doesn't do anything different. I still get a non-secure load-balancer provisioned.

Any ideas?

[1] https://github.com/kubernetes/contrib/tree/master/ingress/controllers/gce

[Prashanth B]

I just tried your ingress with this yaml https://gist.github.com/bprashanth/b7772ce0ca2e9f4eb34aa5c4eeaef38e and it worked as expected, maybe you can backtrack from there? 

What is the output of `kubectl describe` on your ingress? 

Here's a TLS termination example: https://github.com/kubernetes/ingress/blob/master/examples/tls-termination/gce.md

[Itamar O]

Thanks.

I'm using Deployments, not ReplicationControllers, but otherwise my backends are similar to your test yaml.

I managed to get it working by recreating the secret - I think it was some copy-paste error in the certificate, because the data size is different now.

How could I have known that the cert/key pair was corrupt? Are there Ingress logs anywhere that could have pointed me in the right direction?

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.