Support Server Only K8s Deployments

[GaneshSPatil]

Type

• Bug Report

Description

GoCD Helm Chart exposes GoCD application to the external world through Ingress. Which supports only http connections. GoCD agents are unable to connect to the server running on kubernetes cluster as HTTPS port is not exposed!

[dodizzle]

I have this same issue. To work around it I have 2 service configs. One for port 8153 which is type:NodePort which the nginx-ingress loadbalancer uses as its backend. The second service exposes port 8154 using the service type LoadBalancer.

The agents still fail to connect even with the correct goServerUrl because of a ssl handshake error but that is a separate issue.

[varshavaradarajan]

Workaround: While using the helm chart, disable ingress. The gocd service (of type NodePort or LoadBalancer) exposes the https port which can be used by agents outside of the cluster to access the gocd server.

Service type (LoadBalancer|NodePort) is not designed to terminate HTTP(S) traffic as they are not aware of individual HTTP(S) requests while ingress is.

This worked on minikube. Since ingress is disabled, we need to provide another way of having ssl certs. Adding ssl certificates to this depends on the platform. On AWS, the service annotation - service.beta.kubernetes.io/aws-load-balancer-ssl-cert can be set to the ARN of the certificate, I think. I don't know what it is on GCP. Maybe https://cloud.google.com/load-balancing/docs/ssl-certificates will help.