Why static content link comes with http protocol while using https on GKE GLB?

Question

I am trying to create to create a Global gateway in GKE k8s

This is how I am trying to achieve this is

Global External Application LB(gateway)(HTTPS)--> Caddy webserver --> Wordpress

Here are my spec files.

kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: mydomain-external-https
  namespace: my-ns
  annotations:
    networking.gke.io/certmap: mydomain-space-certmap
spec:
  gatewayClassName: gke-l7-global-external-managed
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
  addresses:
    - type: NamedAddress
      value: caddy-static-ip

---
kind: HTTPRoute
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: mydomain-space-external-http-route
  namespace: my-ns
  labels:
    gateway: mydomain-external-https
spec:
  parentRefs:
    - name: mydomain-external-https
  hostnames:
    - "v1.mydomain.space"
    - "v2.mydomain.space"
  rules:
    - backendRefs:
        - name: caddy-app-service
          port: 80

This does create an LB, attaches the cert and the static IP to the LB.

I guess this Caddy config file is also of importance for the context so here it is;

v1.mydomain.space:80 {
  root * /var/www/html/v1.mydomain.space
  php_fastcgi localhost:9000
  file_server
  encode gzip
  log {
    output file /var/log/caddy/v1.mydomain.space.access.log
  }
  @static {
    file
    path *.ico *.css *.js *.gif *.jpg *.jpeg *.png *.svg *.woff *.pdf *.webp
  }
    header @static Cache-Control max-age=5184000
}
v2.mydomain.space:80 {
  root * /var/www/html/v2.mydomain.space
  php_fastcgi localhost:9000
  file_server
  encode gzip
  log {
    output file /var/log/caddy/v2.mydomain.space.access.log
  }
  @static {
    file
    path *.ico *.css *.js *.gif *.jpg *.jpeg *.png *.svg *.woff *.pdf *.webp
  }
    header @static Cache-Control max-age=5184000
}
   

Now the problem is that when I try to access https://v1.mydomain.space or https://v2.mydomain.space

the https://v1.mydomain.space/wp-admin/setup-config.php page loads properly with HTTPS and gives HTTP 200 status but all the static content links comes back with http protocol. e.g.

http://v1.mydomain.space/wp-includes/css/dashicons.min.css?ver=6.4.1
http://v1.mydomain.space/wp-admin/css/l10n.min.css?ver=6.4.1
http://v1.mydomain.space/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1

and all those fail to load.

I guess Caddy config responsible for doing this, but I cant put my finger on it. Or is it something with the GKE gateway? Whats wrong here?

Answer 1

If you already created your domain certificate, you need to terminate the TLS certificate to the GKE Gateway and HTTP Route YAML as follows:

---
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: mydomain-external-https
  namespace: my-ns
  annotations:
    networking.gke.io/certmap: mydomain-space-certmap
spec:
  gatewayClassName: gke-l7-global-external-managed
  listeners:
  - name: http
    protocol: HTTP
    port: 80
    allowedRoutes:
      kinds:
      - kind: HTTPRoute
      namespaces:
        from: Same
  - name: https
    protocol: HTTPS
    port: 443
    allowedRoutes:
      kinds:
      - kind: HTTPRoute
      namespaces:
        from: All
    tls:
      mode: Terminate
      options:
        networking.gke.io/pre-shared-certs: mydomain-space-certmap
  addresses:
  - type: NamedAddress
    value: caddy-static-ip

---
kind: HTTPRoute
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: mydomain-space-external-http-route
  namespace: my-ns
  labels:
    gateway: mydomain-external-https
spec:
  parentRefs:
  - namespace: my-ns
    name: mydomain-external-https
    sectionName: https
  hostnames:
  - "v1.mydomain.space"
  - "v2.mydomain.space"
  rules:
  - backendRefs:
     - name: caddy-app-service
       port: 80

You can look at more details in the following documentation:

• TLS termination

• HTTP-to-HTTPS redirection