2

I'm simply following the tutorial here: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs#creating_an_ingress_with_a_managed_certificate

Everything works fine until I deploy my certificate and wait 20 minutes for it to show up as:

Status:
  Certificate Name:    daojnfiwlefielwrfn
  Certificate Status:  Provisioning
  Domain Status:
    Domain:  moviedecisionengine.com
    Status:  FailedNotVisible

That domain clearly works so what am I missing?

EDIT:

Here's the Cert:

apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
    name: moviedecisionengine
spec:
    domains:
        - moviedecisionengine.com

The Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.gcp.kubernetes.io/pre-shared-cert: mcrt-14cb8169-25ba-4712-bca5-cb612562a00b
    ingress.kubernetes.io/backends: '{"k8s-be-31721--1cd1f38313af9089":"HEALTHY"}'
    ingress.kubernetes.io/forwarding-rule: k8s-fw-default-showcase-mde-ingress--1cd1f38313af9089
    ingress.kubernetes.io/https-forwarding-rule: k8s-fws-default-showcase-mde-ingress--1cd1f38313af9089
    ingress.kubernetes.io/https-target-proxy: k8s-tps-default-showcase-mde-ingress--1cd1f38313af9089
    ingress.kubernetes.io/ssl-cert: mcrt-14cb8169-25ba-4712-bca5-cb612562a00b
    ingress.kubernetes.io/target-proxy: k8s-tp-default-showcase-mde-ingress--1cd1f38313af9089
    ingress.kubernetes.io/url-map: k8s-um-default-showcase-mde-ingress--1cd1f38313af9089
    kubernetes.io/ingress.global-static-ip-name: 34.107.208.110
    networking.gke.io/managed-certificates: moviedecisionengine
  creationTimestamp: "2020-01-16T19:44:13Z"
  generation: 4
  name: showcase-mde-ingress
  namespace: default
  resourceVersion: "1039270"
  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/showcase-mde-ingress
  uid: 92a2f91f-3898-11ea-b820-42010a800045
spec:
  backend:
    serviceName: showcase-mde
    servicePort: 80
  rules:
  - host: moviedecisionengine.com
    http:
      paths:
      - backend:
          serviceName: showcase-mde
          servicePort: 80
  - host: www.moviedecisionengine.com
    http:
      paths:
      - backend:
          serviceName: showcase-mde
          servicePort: 80
status:
  loadBalancer:
    ingress:
    - ip: 34.107.208.110

And lastly, the load balancer:

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2020-01-13T22:41:27Z"
  labels:
    app: showcase-mde
  name: showcase-mde
  namespace: default
  resourceVersion: "2298"
  selfLink: /api/v1/namespaces/default/services/showcase-mde
  uid: d5a77d7b-3655-11ea-af7f-42010a800157
spec:
  clusterIP: 10.31.251.46
  externalTrafficPolicy: Cluster
  ports:
  - nodePort: 31721
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: showcase-mde
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - ip: 35.232.156.172

For the full output of kubectl describe managedcertificate moviedecisionengine:

Name:         moviedecisionengine
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"networking.gke.io/v1beta1","kind":"ManagedCertificate","metadata":{"annotations":{},"name":"moviedecisionengine","namespace...
API Version:  networking.gke.io/v1beta1
Kind:         ManagedCertificate
Metadata:
  Creation Timestamp:  2020-01-17T16:47:19Z
  Generation:          3
  Resource Version:    1042869
  Self Link:           /apis/networking.gke.io/v1beta1/namespaces/default/managedcertificates/moviedecisionengine
  UID:                 06c97b69-3949-11ea-b820-42010a800045
Spec:
  Domains:
    moviedecisionengine.com
Status:
  Certificate Name:    mcrt-14cb8169-25ba-4712-bca5-cb612562a00b
  Certificate Status:  Provisioning
  Domain Status:
    Domain:  moviedecisionengine.com
    Status:  FailedNotVisible
Events:      <none>
AlxVallejo
  • 3,066
  • 6
  • 50
  • 74
  • Does this answer your question? [Creating a ManagedCertificate results in "Status: FailedNotVisible"](https://stackoverflow.com/questions/55695379/creating-a-managedcertificate-results-in-status-failednotvisible) – Arghya Sadhu Jan 17 '20 at 16:15
  • Not really. Why would I need to account for a DNSSEC? The DNS obviously works. – AlxVallejo Jan 17 '20 at 16:18
  • are using google ingress controller or nginx ingress controller? – Arghya Sadhu Jan 17 '20 at 16:19
  • google ingress. Not nginx – AlxVallejo Jan 17 '20 at 16:20
  • add gke cluster version – Arghya Sadhu Jan 17 '20 at 16:22
  • {"apiVersion":"networking.gke.io/v1beta1","kind":"ManagedCertificate","metadata":{"annotations":{},"name":"moviedecisionengine2","namespac... – AlxVallejo Jan 17 '20 at 16:23
  • can you share the objects you are using. Kind of hard to troubleshoot with just an error status. – suren Jan 17 '20 at 17:20
  • @suren Added the objects – AlxVallejo Jan 17 '20 at 18:16
  • In your `Ingress` object, you write the IP address or the name you reserved it with on GCP? And you create an `A` record pointing to that IP address in your domain name provider DNS zone right? And, as side note, your service should be `NodePort`, but that's not the problem. – suren Jan 17 '20 at 23:33
  • Please provide output of the command: `$kubectl describe managedcertificate moviedecisionengine` – Dawid Kruk Jan 20 '20 at 15:26
  • @DawidKruk I added the complete output to the bottom. – AlxVallejo Jan 20 '20 at 18:03
  • @AlxVallejo so If I understand correctly: 1. You created a `deployment` 2. You created a service of type `LoadBalancer` to your deployment. 3. You created static IP address with `gcloud`. 4. You created DNS entry to your static ip 5. You created `ManagedCertficate` 6. You created `Ingress` resource as shown in your post? – Dawid Kruk Jan 21 '20 at 08:45
  • @DawidKruk That is correct. And if i go to VPC -> External IP addresses, I see my static IP in use as a forwarding rule by my ingress. So what am I missing? – AlxVallejo Jan 21 '20 at 14:02
  • @AlxVallejo I've managed to make it to work. It took some time at the end. Please take a look at it and let me know if it helped you. – Dawid Kruk Jan 21 '20 at 16:35

1 Answers1

2

I was successful in using Managedcertificate with GKE Ingress resource.

Let me elaborate on that:

Steps to reproduce:

  • Create IP address with gcloud
  • Update the DNS entry
  • Create a deployment
  • Create a service
  • Create a certificate
  • Create a Ingress resource

Create IP address with gcloud

Invoke below command to create static ip address:

$ gcloud compute addresses create example-address --global

Check newly created IP address with below command:

$ gcloud compute addresses describe example-address --global

Update the DNS entry

Go to GCP -> Network Services -> Cloud DNS.

Edit your zone with A record with the same address that was created above.

Wait for it to apply.

Check with $ nslookup DOMAIN.NAME if the entry is pointing to the appropriate address.

Create a deployment

Below is example deployment which will respond to traffic:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  selector:
    matchLabels:
      app: hello
      version: 1.0.0
  replicas: 3
  template:
    metadata:
      labels:
        app: hello
        version: 1.0.0
    spec:
      containers:
      - name: hello
        image: "gcr.io/google-samples/hello-app:1.0"
        env:
        - name: "PORT"
          value: "50001"

Apply it with command $ kubectl apply -f FILE_NAME.yaml

You can change this deployment to suit your application but be aware of the ports that your application will respond to.

Create a service

Use the NodePort as it's the same as in the provided link: 

apiVersion: v1
kind: Service
metadata:
  name: hello-service
spec:
  type: NodePort
  selector:
    app: hello
    version: 1.0.0
  ports:
  - name: hello-port
    protocol: TCP
    port: 50001
    targetPort: 50001

Apply it with command $ kubectl apply -f FILE_NAME.yaml

Create a certificate

As shown in guide you can use below example to create ManagedCertificate:

apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: example-certificate 
spec:
  domains:
    - DOMAIN.NAME

Apply it with command $ kubectl apply -f FILE_NAME.yaml

The status FAILED_NOT_VISIBLE indicates that certificate provisioning failed for a domain because of a problem with DNS or the load balancing configuration. Make sure that DNS is configured so that the certificate's domain resolves to the IP address of the load balancer. -- Google Cloud documentation

Creation of this certificate should be affected by DNS entry that you provided earlier.

Create a Ingress resource

Below is example for Ingress resource which will use ManagedCertificate:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: example-address
    networking.gke.io/managed-certificates: example-certificate
spec:
  rules:
  - host: DOMAIN.NAME
    http:
      paths:
      - path: /
        backend:
          serviceName: hello-service
          servicePort: hello-port

Apply it with command $ kubectl apply -f FILE_NAME.yaml

It took about 20-25 minutes for it to fully work.

Dawid Kruk
  • 8,982
  • 2
  • 22
  • 45
  • Where in the documentation does it say you need to edit the zone in the DNS settings? I dont have any zones set up. – AlxVallejo Jan 22 '20 at 15:57
  • Also, why do i need a Nodeport? I'm not routing between any ports ... – AlxVallejo Jan 22 '20 at 17:35
  • A `DNS zone` is a container of DNS records in Google Cloud DNS. If you are not using Google Cloud DNS please set needed entries in the solution appropriate to your case. For your GKE Ingress to reach the application you will need to use `NodePort` type of service: [Explanation](https://stackoverflow.com/questions/37299646/is-ingress-working-with-clusterip-services) – Dawid Kruk Jan 22 '20 at 21:20
  • I'm using this tutorial: https://cloud.google.com/kubernetes-engine/docs/tutorials/hello-app and a NodePort isn't mentioned anywhere. I'm using a cluster in my case. So what's the difference between having Ingress point to a Load Balancer -> Cluster vs a NodePort? – AlxVallejo Jan 22 '20 at 21:30
  • In the tutorial linked you are imperatively creating a L4 network Load Balancer. In order to use your `Managed Certificate` you need to use L7 one as provided above. Please refer to: [Traffic Type](https://cloud.google.com/load-balancing/docs/load-balancing-overview) [TLS Termination](https://cloud.google.com/load-balancing/docs/choosing-load-balancer#control-tls-termination) [Limitations and troubleshooting](https://cloud.google.com/load-balancing/docs/ssl-certificates#ssl-certificate-limits) – Dawid Kruk Jan 23 '20 at 11:34
  • Awesome, this is working now. Question though ... why would anyone use a Load Balancer -> Cluster configuration knowing that SSL isn't supported with it? – AlxVallejo Jan 23 '20 at 15:15
  • Please take a look at this: [Ingress vs Load Balancer](https://stackoverflow.com/questions/45079988/ingress-vs-load-balancer) – Dawid Kruk Jan 23 '20 at 16:19
  • One thing i'm noticing is that my www to non-www isn't happening. From what I can tell I need an Nginx Ingress, not just an Ingress ... so why am I wasting my time with a regular Ingress? – AlxVallejo Feb 05 '20 at 15:45
  • @TiagoMedici the one that your application is connecting to. I’d recommend you to create a new question so the whole setup can be explained in a better detail. – Dawid Kruk Feb 24 '22 at 15:03
  • in case of using cloud endpoints, can it be used as the domain name ? – Tiago Medici Feb 28 '22 at 11:34