sslgoogle-cloud-platformgoogle-kubernetes-enginegke-networking

Google Managed SSL Certificate Stuck on FAILED_NOT_VISIBLE

I'm trying to configure an HTTPS/Layer 7 Load Balancer with GKE. I'm following SSL certificates overview and GKE Ingress for HTTP(S) Load Balancing.

My config. has worked for some time. I wanted to test Google's managed service.

This is how I've set it up so far:

k8s/staging/staging-ssl.yml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-staging-lb-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
    ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
    kubernetes.io/ingress.allow-http: "false"
spec:
  rules:
  - host: staging.my-app.no
    http:
      paths:
      - path: /*
        backend:
          serviceName: my-svc
          servicePort: 3001

gcloud compute addresses list

#=>

NAME                   REGION  ADDRESS          STATUS
my-staging-global              35.244.160.NNN  RESERVED

host staging.my-app.no 

#=>

35.244.160.NNN

but it is stuck on FAILED_NOT_VISIBLE:

gcloud beta compute ssl-certificates describe staging-google-managed-ssl

#=>

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

Any idea on how I can fix or debug this further?

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
--url-map=[URL_MAP] \
--ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2], [SSL_CERTIFICATE3],...]

Is that necessary when I have this line in k8s/staging/staging-ssl.yml?

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    . . .
    ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
    . . .
Solution

  • It turns out that I had mistakenly done some changes to the production environment and others to staging. Everything worked as expected when I figured that out and followed the guide. :-)