I'm in the process of enabling HTTPS to our kubernates clusters in GCE. I'm trying to utilize kubernates Ingress
I have the cert and priv key, and I have created a secret with these appended (ssl-secret):
apiVersion: v1
kind: Secret
metadata:
name: ssl-secret
type: Opaque
data:
tls.crt: LS0tLS...
tls.key: Mc0c4t...
I also have an Ingress utilizing the secret (ssl-ingress):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ssl-ingress
spec:
backend:
serviceName: client # Name of the service
servicePort: my-https-port # Fetched from annotations
tls:
- hosts:
- test.domain.se # My domain address
secretName: ssl-secret # Name of my previously created secret
Finally, I try to apply these to my cluster with the following setup:
apiVersion: v1
kind: Service
metadata:
name: client
annotations:
service.alpha.kubernetes.io/app-protocols: '{"my-https-port":"HTTPS"}' # Must map port-name to HTTPS for the GCP ingress controller
labels:
app: client-pods
spec:
type: NodePort
ports:
- port: 12345 #To my understanding, not used
targetPort: client-https
protocol: TCP
name: my-https-port
selector:
name: client-pods
So, my goal is that using this setup, I would be able to reach test.domain.se on https://test.domain.se. But it just times out, while http://test.domain.se works just fine.
Describing the Ingress I get the following:
Name: ssl-ingress
Namespace: default
Address: 35.186.253.27
Default backend: client:my-https-port ()
TLS:
ssl-secret terminates test.domain.se
Rules:
Host Path Backends
---- ---- --------
* * client:my-https-port ()
Annotations:
static-ip: k8s-fw-default-ssl-ingress--59114a8fc664f628
target-proxy: k8s-tp-default-ssl-ingress--59114a8fc664f628
url-map: k8s-um-default-ssl-ingress--59114a8fc664f628
backends: {"k8s-be-31894--59114a8fc664f628":"UNHEALTHY"}
forwarding-rule: k8s-fw-default-ssl-ingress--59114a8fc664f628
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
7m 7m 1 loadbalancer-controller Normal ADD default/ssl-ingress
6m 6m 1 loadbalancer-controller Normal CREATE ip: 35.186.253.27
6m 2m 18 loadbalancer-controller Warning GCE googleapi: Error 400: The SSL key could not be parsed.
6m 2m 18 loadbalancer-controller Warning Service failed to identify user specified default backend, couldn't find nodeport for default/client, using system default
So my questions are the following:
Warning GCE googleapi: Error 400: The SSL key could not be parsed.
1: It seems like Ingress needs the priv key's passphrase. How do I add a passphrase to the secret (the key does have a known passphrase, but how do I inform the secret of it?)
Warning Service failed to identify user specified default backend, couldn't find nodeport for default/client, using system default
2: It claims that it could not find nodeport for default/client. I have the target service client already running, but itseems the ingress appends default/ before the service name. Why, and how do I specify the client service?
I had the same issue. What I did was this
1) convert private key to RSA private key
openssl rsa -in private.key -out private_rsa.key2) creating secret via command-line
kubectl create secret tls ingress-ssl --key private_rsa.key --cert certificate.crtand using this secret in my Ingress.