I have a GCP Internal private IP GKE cluster that has multiple services that we support. I am attempting to setup an ingress to support these multiple services over TLS. This is based on the following GCP documentation located here https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balance-ingress and here https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
Here is my example ingress:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
namespace: myns
annotations:
#kubernetes.io/ingress.class: nginx
kubernetes.io/ingress.class: "gce-internal" # Sets for internal IP's
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- secretName: service1-api.us.corp
- secretName: service2-api.us.corp
rules:
- host: service1-api.us.corp
http:
paths:
- backend:
serviceName: service1-api-service
servicePort: 443
- host: service2-api.us.corp
http:
paths:
- backend:
serviceName: service2-api-service
servicePort: 443
Here is an example of one of the services
apiVersion: v1
kind: Service
metadata:
name: service1-api-service
namespace: myns
annotations:
#cloud.google.com/load-balancer-type: "Internal"
cloud.google.com/neg: '{"ingress": true}'
labels:
app-name: service1-api
spec:
#type: LoadBalancer
#loadBalancerIP: 172.28.11.140
selector:
app-type: restful-api
app-name: service1-api
ports:
- protocol: TCP
name: https
port: 443
targetPort: 80
type: NodePort
#type: ClusterIP
I have gone through the process of setting up TLS certs inside of secrets. However, when deploying the ingress, I get the following error:
Error during sync: error running load balancer syncing routine:
loadbalancer xxxxxxxx-myns-my-ingress-xxxxxxxx does not exist:
googleapi: Error 400: Invalid value for field 'resource.target':
'https://www.googleapis.com/compute/beta/projects/myproject/regions/us-east4/targetHttpsProxies/k8s2-ts-xxxxxxxx-myns-my-ingress-xxxxxxxx'.
A reserved and active subnetwork is required in the same region and
VPC as the forwarding rule., invalid
Based on the documentation, since the load balancer is auto-generated, I am at a loss on how to correct this issue.
Best Answer
In the Troubleshooting section is mentioned this:
After I create the proxy-only subnet, as described here, all started to work.