GCP – GKE Setup: Error during load balancer auto generation

google-cloud-platformgoogle-kubernetes-engineingress

I have a GCP Internal private IP GKE cluster that has multiple services that we support. I am attempting to setup an ingress to support these multiple services over TLS. This is based on the following GCP documentation located here https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balance-ingress and here https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl

Here is my example ingress:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  namespace: myns
  annotations:
    #kubernetes.io/ingress.class: nginx
    kubernetes.io/ingress.class: "gce-internal" # Sets for internal IP's
    kubernetes.io/ingress.allow-http: "false"
spec:
  tls:
    - secretName: service1-api.us.corp
    - secretName: service2-api.us.corp
  rules:
    - host: service1-api.us.corp
      http:
        paths:
        - backend:
            serviceName: service1-api-service
            servicePort: 443
    - host: service2-api.us.corp
      http:
        paths:
        - backend:
            serviceName: service2-api-service
            servicePort: 443

Here is an example of one of the services

apiVersion: v1
kind: Service
metadata:
  name: service1-api-service
  namespace: myns
  annotations:
    #cloud.google.com/load-balancer-type: "Internal"
    cloud.google.com/neg: '{"ingress": true}'
  labels:
    app-name: service1-api
spec:
  #type: LoadBalancer
  #loadBalancerIP: 172.28.11.140
  selector:
    app-type: restful-api
    app-name: service1-api
  ports:
    - protocol: TCP
      name: https
      port: 443
      targetPort: 80
  type: NodePort
  #type: ClusterIP

I have gone through the process of setting up TLS certs inside of secrets. However, when deploying the ingress, I get the following error:

Error during sync: error running load balancer syncing routine:
loadbalancer xxxxxxxx-myns-my-ingress-xxxxxxxx does not exist:
googleapi: Error 400: Invalid value for field 'resource.target':
'https://www.googleapis.com/compute/beta/projects/myproject/regions/us-east4/targetHttpsProxies/k8s2-ts-xxxxxxxx-myns-my-ingress-xxxxxxxx'.
A reserved and active subnetwork is required in the same region and
VPC as the forwarding rule., invalid

Based on the documentation, since the load balancer is auto-generated, I am at a loss on how to correct this issue.

Best Answer

In the Troubleshooting section is mentioned this:

Verifying that proxy-only subnet is created before creating Ingress so as to avoid any sync errors while deploying Ingress.

After I create the proxy-only subnet, as described here, all started to work.

Related Topic