Join Log in
Score:0
Peter Lind avatar Server

GKE ingress returns 502 with encrypted service

us flag
Peter Lind

I'm on GCP and I've deployed ElasticSearch and Kibana into a cluster, using the ElasticSearch operator. I've created an external Ingress with a preshared certificate, to send traffic into the Kibana service. I'm getting 502s however and I'm trying to understand what's wrong. My best guess right now is that the GCE Ingress cannot talk to an encrypted backend - but I don't know for sure how to debug this. Only thing I've managed in order to test this is to disable SSL for Kibana - which then made the connection work. However, that removes the encryption, which I'm not as fond of - I'd rather the traffic from Ingress to pod stayed encrypted.

Now, long term, I could go the route of service mesh, which is what we're planning - but right here and now I'd just like the damn Ingress to play ball and connect to the encrypted endpoint. It looks like nginx controllers can be set to do this through annotations - but I don't see anything similar for GCE load balancers. Am I missing something?

Kibana manifest

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana
  namespace: my-service
spec:
  version: 8.2.2
  count: 1
  elasticsearchRef:
    name: elastic
  config:
    server:
      publicBaseUrl: "https://example.com"
  http:
    service:
      spec:
        type: ClusterIP
      metadata:
        annotations:
          cloud.google.com/backend-config: '{"default": "kibana-backendconfig"}'
          cloud.google.com/neg: '{"ingress": true}'

BackendCondif

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: kibana-backendconfig
  namespace: my-service
spec:
  securityPolicy:
    name: "cf-ip-only"
  healthCheck:
    checkIntervalSec: 60
    healthyThreshold: 1
    port: 5601
    requestPath: /login
    type: HTTPS
    unhealthyThreshold: 2

Ingress manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kibana-ingress
  namespace: my-service
  annotations:
    ingress.gcp.kubernetes.io/pre-shared-cert: "example-com"
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.regional-static-ip-name: "kibana-static-ip"
spec:
  defaultBackend:
    service:
      name: kibana-kb-http
      port:
        number: 5601
  rules:
    - host: "example.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kibana-kb-http
                port:
                  number: 5601

I've test the Kibana instance through a port-forward. It works fine. I've sent requests to the Ingress - they come back 502, showing the correct certificate for the Ingress. When I check deployed Ingress, the urlMap shows the backend as being healthy (which means the BackendConfig health check works fine and sends traffic to the proper place).

Right now, I can see two possible causes of the problem:

  • The GCE Ingress has no idea it needs to do encrypted traffic, or
  • The Ingress does not access the self-signed certificate from Kibana, or
  • both

Anyone gotten a GCE Ingress to properly route traffic to Kibana running with self-signed certs?

81
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.