No frontend configured on load balancer

[rsouthgate]

Pretty excited to see this out there so maybe I jumped the gun a bit but I can't get it to work with my cluster.

Upgraded cluster master to 1.10.7-gke.2, waited for that to propagate to all pods. Created Custom Resource Definition and Controller (removed the serviceAccountName: test-account line within the controller so it should just use default account).

Created the object:

apiVersion: gke.googleapis.com/v1alpha1
kind: ManagedCertificate
metadata:
  name: api-test-certificate
spec:
  domains:
    - apitest.mydomain.co

Edited my Ingress, deleted and created, so now based on this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: api-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: api-test-load-balancer
    kubernetes.io/ingress.allow-http: "false"      
    gke.googleapis.com/managed-certificates: api-test-certificate
spec:
  rules:
  ...

Result: LB gets created, but within GCP Dashboard I see the message 'This load balancer has no frontend configured.'

Within the K8s engine under the api-ingress details it seems stuck at 'creating ingress'.

I'm probably missing something critical!

[krzykwas]

Hi! This is actually still a work in progress, we are still before alpha release. Currently managed certificates will not work until my pull request to ingress-gce gets accepted.

The yaml files in the deploy directory are used for setting up environment for e2e tests and this setup works correctly. Are you sure the Ingress error isn't transient?

[michael34435]

@krzykwas Hi, does it mean gke-managed-certs won't work on current GKE? I had tried it with GKE 1.10.7-gke.2 but LoadBalancer didn't allow me to use HTTP(S) protocol.

Thanks in advance.

[krzykwas]

@michael34435 gke-managed-certs won't work with current GKE, because Ingress in current GKE lacks support for ManagedCertificate CR. The pull request mentioned above needs to be merged first.

Despite the name, gke-managed-certs will work in any k8s cluster using GCLB, it's not limited to GKE clusters, however the pull request to Ingress is required anyway.

[michael34435]

Ok, I got it. Thank you for your explanation

[fmacelw]

@krzykwas I'm pretty excited about this project as well! Great work! your PR https://github.com/kubernetes/ingress-gce/pull/508 seems to have been approved and merged now - how long should we wait until it will be rolled out into the GCP / GKE infra? And do we need ingress / load balancers to be recreated? I think it would beneficial if you state more clearly in the README the current project status and its dependencies to work properly to ensure people have the right expectations - this project would be a huge time saver going forward, but I'm concerned early adopters may decide not to use it or leave bad reviews just because have the wrong expectations (e..g to be 100% working now)

[michael34435]

Hi, @fmacelw According to the release notes provided by ingress-gce, I guess we'll see it in the next GKE version

[krzykwas]

Sorry for a delayed response.

Managed certificates should already work with Ingress v1.4.0 in GCP, you need to just switch a feature flag to enable them.

Once managed certificates are available in GKE, it will be announced through official GKE channels. I'd like not to announce the GKE part here. The GKE release, once it happens, will be in alpha clusters, as this is an alpha feature.

There may be some incompatibility issues I'm not aware of, but it seems to me that it should not be required to recreate Ingress objects.

This is an alpha version. Enabling managed certificates will cause a downtime, because there is yet no support for no-downtime migration from other types of certificates supported by Ingress (pre-shared-cert/k8s secrets). It means that until a managed certificate is provisioned, HTTPS will be down.

[bluecmd]

I was very excited when I found this repository - and it seems like the managed certificate is created but is stuck in FAILED_NOT_VISIBLE due to not being added to the GCLB. I guess this is because this controller is not ready? I didn't find any references in the code to mutating the ingress to actually use the SSL certificate created, but I'm probably missing something.

Maybe a note could be added to the README specifying that this does not work yet without using GKE version TBD, etc?

[kianting]

Hi I am facing the same issue I have followed the documentation creating https load balancer with managed certs

I get the same error when I look at the automatically created load balancer when I kube apply the ingress config files. When I go to the load balancer I still see "This load balancer has no frontend configured". I am using kube version "1.12.7-gke.10".

The documentation says the managed cert will only take 15 minutes to provision but I have waited for 28 minutes it is still showing status of Provisioning.

The load balacer is stuck the managed cert is stuck. What can I do to move forward?

[delashum]

Facing a very similar problem that I spent days debugging.. my ingress config is almost identical except that I don't have the kubernetes.io/ingress.allow-http: "false" rule. So my load balancer did have a frontend protocol, but only for HTTP. I ended up manually creating one for HTTPS and pointing it to the managed certificate then everything worked.

Any ideas why the HTTPS frontend protocol isn't being created? I'm assuming that's it's supposed to be, otherwise there should be a note in that tutorial stating the need to manually add that.