Closed ahmetb closed 5 years ago
Was this a recent change for GKE? I set this up recently, and I thought that the docs called for installing the CRD&controller from this project.
They don't now: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
Perhaps the docs for this project should point GKE users to the above URL as well.
@jjhuff I'm not sure but I think you're not supposed to install anything from this repo manually if you're on GKE anymore. @krzykwas to confirm soon.
Well, that's definitely progress in making this easier. Is simply deleting the CRD and controller likely to be safe on an existing cluster?
Not sure. But the fact that you’re asking these questions make me believe that the installation instructions should not exist on this repository so visibly.
Wow! This is a super timely issue, thanks for filing this @ahmetb. Like @jjhuff, I recently set this up as well. Should I delete it from my cluster? What version of K8S is required for this to be available?
I see we're all looking at the same documentation as well today.
@bmhatfield I updated my cluster to 1.12.6-gke.10
per the mention of having it at least 1.12.6-gke.7
here.
Oh! I totally missed that line. Perfect! Thank you!
@aav7fl are you having any luck with this? I upgraded and can confirm that managedcertificates
is available (both in a cluster that never had this deployed, as well as one that did).
However... nothing happens. The ingress is created, but only with an HTTP frontend. No certificate is obtained, no events are created, the ManagedCertificate doesn't have a status, and there's no indications of errors or progress. It's almost as if the controller isn't running in the cluster.
Did anyone observe differently?
@bmhatfield please open a different issue if you're seeing problems. this issue discusses whether to list installation instructions in the readme or not.
@ahmetb Once there's some consensus on how to undo/switch to the built in managedcertificate that'd be important to add to the README since a number of people will be in this state.
Also, for issues with ManagedCertificates on GKE, should we open an issue here or engage GCP support in some other way?
For GKE, the controller installed from this repo can be safely deleted. The CRD installed from this repo does not need to be deleted, because it is automatically overwritten periodically.
You can engage GCP support. Among things that can go wrong it is possible that your DNS configuration is invalid and it is impossible for a CA to create a certificate in such situation. The GCP support will route the issues down to the same team at Google that can respond here.
@aav7fl are you having any luck with this? I upgraded and can confirm that
managedcertificates
is available (both in a cluster that never had this deployed, as well as one that did).However... nothing happens. The ingress is created, but only with an HTTP frontend. No certificate is obtained, no events are created, the ManagedCertificate doesn't have a status, and there's no indications of errors or progress. It's almost as if the controller isn't running in the cluster.
Did anyone observe differently?
I'll keep it on track after this comment.
I was able to get the managed certificate created through deploying the yaml file. I set it to a node (manually inside GCP), and then it finished provisioning.
Edit: I have it working now. I had to add it to the correct namespace as my load balancer.
@krzykwas Awesome, thanks!
I'm still a little confused by this project, I originally came here because I wanted to add SSL to my project running on GKE, I was happy with the ingress I already had and I didn't want to add nginx on top, but I was disappointed with the fact that extensions/v1beta1 Ingress didn't seem do SSL out of the box.
Is there still a way I can use this in my GKE project as intended? I tried it, installed successfully, made the certs but I was still getting HTTP and when I tried HTTPS the requests still wouldn't work. Everything was in namespace default. Either way I do agree that the documentation needs to be elucidated, hopefully this is still something I can use instead of having to add another component to do something my app almost does on its own presently.
@Kezzsim
This repo is for the code that is automatically installed on GKE. This means you do not have to follow the README.md
in this repo.
Instead, if you're a user of GKE follow this guide which will tell you how to use this pre-installed component.
@ahmetb and all: I have added a section in the README for GKE users and filed PR #25 to add this:
# Installation on your GKE cluster
If you are a user of GKE (`1.12.6-gke.7` or higher), the managed certificate controlled provided by this repo is already installed for you and ready to be used right now!
You do not have to follow the below steps [Installation on your own cluster on GCP](#installation-on-your-own-cluster-on-gcp). Instead, follow this getting started guide and start using `networking.gke.io/v1beta1` and `ManagedCertificate`.
# Installation on your own cluster on GCP
This project is developed internally and then the code is pushed to github from an internal Google repo, that is why I can't really apply this change easily - however I recently updated README with the distinction between gke and gcp setup, I also added more info on other things that needed better documentation.
I recommend we set up copybara or move development to oss.
It seems like Install instructions in the readme is for a very small % of the people trying to run "Kubernetes on GCE". Is that right?
If I'm on GKE, I can be easily misled by the readme in this repo and may try to apply CRD/controller myself –which is a bad idea. Can you please prevent this from happening.
A good way to achieve this could be: