https://pulumi.com logo
n

nice-portugal-52925

08/16/2019, 2:17 AM
Hey all I'm having an extreme amount of trouble getting https load balancer to work with GKE. If anyone could point me in the right direction that would be greatly appreciated!
Copy code
const appService = new k8s.core.v1.Service("django-service", {
  metadata: { labels: appDeployment.metadata.labels },
  spec: {
    type: "NodePort",
    ports: [{ port: 80, targetPort: appPort }],
    selector: appDeployment.spec.template.metadata.labels,
  },
}, { provider: cluster.provider });

const appIngress = new k8s.extensions.v1beta1.Ingress("django-load-balancer", {
  spec: {
    backend: {
      serviceName: appService.metadata.name
      ,
      servicePort: 80,
    }
  }
})
g

gorgeous-egg-16927

08/16/2019, 3:41 PM
Here's an example I used recently that worked:
It looks like you’re missing the provider opt on the Ingress, so that could be part of the problem
n

nice-portugal-52925

08/18/2019, 2:24 AM
@gorgeous-egg-16927 Thanks for your help! I tried that and still get a page when I go to ip. Is there something else i'm doing incorrectly?
Copy code
Error: Server Error
The server encountered a temporary error and could not complete your request.
Please try again in 30 seconds.
g

glamorous-printer-66548

08/19/2019, 11:53 AM
@nice-portugal-52925 my best guess is that your app does not satisfy the LBs health check. GKE L7 LB’s do a mandatory health check on your deployment. By default it’s expecting your app to return a 200 on
/
GET. You can modify the endpoint by adding a readinessProbe, but you cannot deactivate the health check completely, even if you don’t specify a readinessProbe. This is one of the quirks of GKEs L7 LBs and the Ingress controller. More info can be found here: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#health_checks
I’d suggest you to manually check if your app returns a 200 on
/
by running
kubectl port-forward svc/<your_service> 8080
and then
curl <http://localhost:8080> -v
besides that I’d suggest to start with a very simple spec like this (instead of using path based mapping):
Copy code
spec: {
        backend: {
          serviceName: service.metadata.name,
          servicePort: 8080
        }
      }
note that it sometimes takes very long until ingress config changes are reflected in your GCP L7 LB (i.e. up to 5 minutes). I also had instances where the ingress controller did not propagate config changes at all and I had to delete and recreate it. Another quirk of the GCP Ingress controller.
n

nice-portugal-52925

08/19/2019, 10:01 PM
@glamorous-printer-66548 Thanks for your help! My
/
route returns a
200
😕. I tried the other spec as well no luck. I am able to deploy it just fine with just a LoadBalancer and no ingress, but im trying to set up https with cloudflare. if you have any other solutions they would be appreciated.
g

glamorous-printer-66548

08/19/2019, 10:11 PM
does your app / pod itself return http or https traffic?
also why would you use https with cloudflare in combination with an L7 load balancer on GCP? Imho those are competing products and I cannot think of a sensible way to combine them
n

nice-portugal-52925

08/19/2019, 10:34 PM
right now its only returning http. I was told I could use cloudflare as a sort of proxy for the https stuff. I’m not using the load balancing service on cloudflare. Just the DNS and SSL (unless that’s on by default.)
What would be a better solution. Especially one where I can just keep it all in GCP that would be perfect!
g

glamorous-printer-66548

08/19/2019, 11:27 PM
I mean GCP has Cloud DNS and the L7 (HTTP/S) LBs already support SSL / TLS Termination and Global Load Balancing via a single anycast IP. They also support HTTP2, Caching via Cloud CDN etc. I’m not sure what additional benefit Cloudflare would deliver here imho (but it depends on which product we’re talking about since Cloudflare has multiple as well), but for a 0815 use-case I don’t see one. AWS traditionally didn’t have good support for “global load balancing” etc. (although that changed with https://aws.amazon.com/global-accelerator/) so I can imagine that AWS customers were inclined to add Cloudflare into the mix, but GCP has been quite good in this area for a long time.
I can say that we simply use GCP L7 HTTPS LBs that we create via Ingress and Cloud CDN that we managed via the pulumi gcp provider in production. Everything working pretty fine.
n

nice-portugal-52925

08/19/2019, 11:37 PM
Do you have and example you can share?
everything I try leads me to
Copy code
Error: Server Error
The server encountered a temporary error and could not complete your request.
Please try again in 30 seconds.
with the ingress http load balancer
g

glamorous-printer-66548

08/20/2019, 12:18 AM
have you tried the example from levi yet?
n

nice-portugal-52925

08/20/2019, 12:52 AM
yes, I was able to run it with the image he provided. Whenever I try to run with my docker image it doesn’t work
(the same docker image I use to with just the “LoadBalancer” and it works just fine)
g

glamorous-printer-66548

08/20/2019, 1:36 AM
levi’s example is using a different port than yours, did you try changing the ports in levis’ example to 80 everywhere and see if it works with ur image?
also maybe you should check the logs of the LB in google cloud logging
you should see there some info about health checks failing if any
n

nice-portugal-52925

08/20/2019, 2:43 AM
Figured it out… The site is using django and didn’t have the domain which the health check was being executed on in the
ALLOWED_HOSTS
. Therefor returning a non 200 status failing the health checks 🤦‍♂️
Thanks so much for you help. I couldn’t have done it without you!
how would you recommend I get pulumi to automatically configure the certificates onto the http GCP https load balancer?
g

glamorous-printer-66548

08/20/2019, 11:41 AM
we use https://github.com/jetstack/cert-manager to issue certs using letsencrypt (using the DNS01 challenge in conjunction with GCP Cloud DNS) and then pass them to the ingress controller via tls prop in the spec.
If you have already certs (i.e. from godaddy) I would add it as pre-shared cert to GCP and then reference it in the Ingress resource via an annotation.
Last but not least GCP released a few months ago some auto SSL support integrated into the L7 LB (https://cloud.google.com/load-balancing/docs/ssl-certificates#managed-certs). This is under the hood doing something similar to cert-manager and issues letsencrypt certs, however you wouldn’t have to deal with installing cert-manager. I haven’t used that functionality of GCP though since it’s relatively new and cert-manager does the job for us.
n

nice-portugal-52925

08/20/2019, 9:13 PM
I think i’m going to try the GCP one. Hopefully that one is straight forward enough. Thanks for all your help!