Managed certificate is ignored

[qbast]

Hello

I created fresh GKE cluster with version 1.12.6-gke.10. Then I followed the howto : creating managedcertificate, service, ingress, external ip and DNS name all worked fine. I also verified that domain name resolves to IP of the load balancer.

However after LB is created, nothing happens: kubectl describe managedcertificate shows 'Events: ' . LB is listening only on port 80. Is there any way to debug this?

[Cidan]

+1, using GKE 1.12.6-gke.10, the setup instructions here do not work. The resources are submitted, but the managed cert sits in a perpetually stuck state, with events reading nothing/blank, and no status set. I additionally do not see a managed cert provisioned on GCP it self.

[qbast]

I retested it with version 1.12.7-gke.7 . The same problem. It works however with 1.12.6-gke.7 . So something must have changed between 1.12.6-gke.7 and 1.12.6-gke.10

[krzykwas]

In GKE we have identified an issue with regional clusters, where managed certificates would behave in the way you've described. Are these regional clusters?

The fix at earliest could be deployed in production at the end of April.

Meanwhile you could deploy the controller from this github repository in your cluster as a mitigation before a fix is deployed.

[qbast]

This explains things - all my non-working clusters were regional and the one where it worked was zonal. Thanks for the hint, I will use the controller

[Cidan]

Yes, same here. The cluster I'm running are regional. Thanks :)

[jakebolam]

This is happening for me to, regional cluster.

I initially believed this was due to: https://github.com/kubernetes/ingress-gce/issues/738

[jakebolam]

The workaround didn't work for us. We've moved back to providing our certs for now.

[jakebolam]

The workaround was failing due to https://github.com/GoogleCloudPlatform/gke-managed-certs/issues/18

[jjhuff]

@krzykwas Any update on the fix? Users are rather stuck. The built in stuff doesn't work with regional, and this project crash-loops.

[alexdianomi]

The thing meant to avoid the matrix from hell, has it's own matrix from hell

[reynaldiwijaya]

may i know if there is any timeline for the actual release / implementation in GKE cluster ?

[matti]

see https://github.com/GoogleCloudPlatform/gke-managed-certs/issues/18 for update on workaround

[drwxmrrs]

I had this working a few days ago which is really odd.

@qbast I assume you mean 1.12.6-gke.7 for the node versions?

Can't select that version for master from what I can see in GKE.

[davidgolub]

I'm having the same issue. This is the error message I get when accessing the https endpoint from the browser. Does someone have a clear workaround I can use?

[drwxmrrs]

That issue tends to resolve itself within 10 minutes of a successful provision. On 19 May 2019, 9:53 AM +1000, David Golub notifications@github.com, wrote:

I'm having the same issue. This is the error message I get when accessing the https endpoint from the browser. Does someone have a clear workaround I can use? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[matti]

yep, sometimes it takes max(10min)

[rvdh]

Still experiencing this issue on a regional v1.12.7-gke.10 cluster. @krzykwas any update on when a fix will be deployed?

[krzykwas]

The regional cluster issue is fixed in 1.12.7-gke.17 released the previous week.

[reynaldiwijaya]

Yeah, upgraded and works smoothly

[JohannesRudolph]

Upgrading to 1.12.7-gke.17 worked for me too, however the cert took about 15 minutes to fix SSL protocol errors as descibred by @davidgolub

[jakebolam]

Upgraded, and back online. Thanks for getting this done 🙏