Deploy Spring MVC application using GPC: Cloud SQL, Kubernetes (Service and Ingress) and HTTP(S) Load Balancer with Google Managed Certificate

Question

Let me explain what the deployment consists of. First of all I created a Cloud SQL db by importing some data. To connect the db to the application I used cloud-sql-proxy and so far everything works.

I created a kubernetes cluster in which there is a pod containing the Docker container of the application that I want to depoly and so far everything works ... To reach the application in https then I followed several online guides (https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#console , https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#console , etc.), all converge on using a service and an ingress kubernetes. The first one maps the 8080 of spring to the 80 while the second one creates a load balacer that exposes a frontend in https. I configured a health-check, I created a certificate (google managed) associated to a domain which maps the static ip assigned to the ingress.

Apparently everything works but as soon as you try to reach from the browser the address https://example.org/ you are correctly redirected to the login page ( http://example.org/login ) but as you can see it switches to the HTTP protocol and obviously a 404 is returned by google since http is disabled. Forcing https on the address to which it redirects you then ( https://example.org/login ) for some absurd reason adds "www" in front of the domain name ( https://www.example.org/login ). If you try not to use the domain by switching to the static IP the www problem disappears... However, every time you make a request in HTTPS it keeps changing to HTTP.

P.S. the general goal would be to have http up to the load balancer (google's internal network) and then have https between the load balancer and the client.

Can anyone help me? If it helps I post the yaml file of the deployment. Thank you very much!

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: my-app # Label for the Deployment
  name: my-app # Name of Deployment
spec:
  minReadySeconds: 60 # Number of seconds to wait after a Pod is created and its status is Ready
  selector:
    matchLabels:
      run: my-app
  template: # Pod template
    metadata:
      labels:
        run: my-app # Labels Pods from this Deployment
    spec: # Pod specification; each Pod created by this Deployment has this specification
      containers:
        - image: eu.gcr.io/my-app/my-app-production:latest # Application to run in Deployment's Pods
          name: my-app-production # Container name
          # Note: The following line is necessary only on clusters running GKE v1.11 and lower.
          # For details, see https://cloud.google.com/kubernetes-engine/docs/how-to/container-native-load-balancing#align_rollouts
          ports:
            - containerPort: 8080
              protocol: TCP
        - image: gcr.io/cloudsql-docker/gce-proxy:1.17
          name: cloud-sql-proxy
          command:
            - "/cloud_sql_proxy"
            - "-instances=my-app:europe-west6:my-app-cloud-sql-instance=tcp:3306"
            - "-credential_file=/secrets/service_account.json"
          securityContext:
            runAsNonRoot: true
          volumeMounts:
            - name: my-app-service-account-secret-volume
              mountPath: /secrets/
              readOnly: true
      volumes:
        - name: my-app-service-account-secret-volume
          secret:
            secretName: my-app-service-account-secret
      terminationGracePeriodSeconds: 60 # Number of seconds to wait for connections to terminate before shutting down Pods
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-app-health-check
spec:
  healthCheck:
    checkIntervalSec: 60
    port: 8080
    type: HTTP
    requestPath: /health/check
---
apiVersion: v1
kind: Service
metadata:
  name: my-app-svc # Name of Service
  annotations:
    cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
    cloud.google.com/backend-config: '{"default": "my-app-health-check"}'
spec: # Service's specification
  type: ClusterIP
  selector:
    run: my-app # Selects Pods labelled run: neg-demo-app
  ports:
    - port: 80 # Service's port
      protocol: TCP
      targetPort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-app-ing
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-static-ip"
    ingress.gcp.kubernetes.io/pre-shared-cert: "example-org"
    kubernetes.io/ingress.allow-http: "false"
spec:
  backend:
    serviceName: my-app-svc
    servicePort: 80
  tls:
    - secretName: example-org
      hosts:
        - example.org
---

Answer 1

As I mention in the comment section, you can redirect HTTP to HTTPS.

Google Cloud have quite good documentation and you can find there step by step guides, including firewall configurations or tests. You can find this guide here.

I would also suggest you to read also docs like:

• Traffic management overview for external HTTP(S) load balancers
• Setting up traffic management for external HTTP(S) load balancers
• Routing and traffic management

As alternative you could check Nginx Ingress with proper annotation (force-ssl-redirect). Some examples can be found here.