Solved: Error creating http to https redirect

muyaszed · 12-25-2021 11:44 AM

I am trying to follow this tutorial to setup an https redirect on my existing load balancer. Unfortunately, when using the same reserve ip address when creating the partial balancer I get the error below.

ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch resource:
 - Invalid value for field 'resource.IPAddress': 'https://compute.googleapis.com/compute/v1/projects/hot-malaysia-deals/global/addresses/shiok-deals-ip'. Specified IP address is in-use and would result in a conflict.

Any help is appreciated. Thanks

abdelfettah

In that case you should not change the loadbalancer configuration manually. any changes made will be reversed by the Ingress controller.

You can however implement http to https redirect using a FrontendConfig object. Here is a tutorial to help you out [1]

In a nutshell you should create a FrontendConfig object like this

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: ingress-security-config
spec:
  sslPolicy: gke-ingress-ssl-policy
  redirectToHttps:
    enabled: true

And add an annotation to your Ingress object like this

    networking.gke.io/v1beta1.FrontendConfig: ingress-security-config

This might require you to re-create the Ingress from scratch

[1] https://github.com/GoogleCloudPlatform/gke-networking-recipes/tree/master/ingress/single-cluster/ing...

View solution in original post

glen_yu

Is that from step #6 in the tutorial?

       gcloud compute forwarding-rules create http-content-rule \
           --load-balancing-scheme=EXTERNAL \
           --network-tier=PREMIUM \
           --address=lb-ipv4-1 \
           --global \
           --target-http-proxy=http-lb-proxy \
           --ports=80

muyaszed

Hi, yes and

lb-ipv4-1

should be the existing ip address created before

abdelfettah

Is your loadbalancer provisioned from GKE or did you manually provision it ?

muyaszed

Hi, if I understand correctly yes it is

abdelfettah

Yes it is for which one ? Via GKE or manually provisioned ?

If your LoadBalancer is provisioned via GKE can you please share your yaml manifests ?

muyaszed

I mean via GKE, here is the manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: managed-cert-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: shiok-deals-ip
    networking.gke.io/managed-certificates: shiok-deals-cert
    kubernetes.io/ingress.class: "gce"
spec:
  rules:
    - host: shiok.deals
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: front-service
                port:
                  number: 80
    - host: www.shiok.deals
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: front-service
                port:
                  number: 80
    - host: backend.shiok.deals
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: back-service
                port:
                  number: 9001

abdelfettah

In that case you should not change the loadbalancer configuration manually. any changes made will be reversed by the Ingress controller.

You can however implement http to https redirect using a FrontendConfig object. Here is a tutorial to help you out [1]

In a nutshell you should create a FrontendConfig object like this

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: ingress-security-config
spec:
  sslPolicy: gke-ingress-ssl-policy
  redirectToHttps:
    enabled: true

And add an annotation to your Ingress object like this

    networking.gke.io/v1beta1.FrontendConfig: ingress-security-config

This might require you to re-create the Ingress from scratch

[1] https://github.com/GoogleCloudPlatform/gke-networking-recipes/tree/master/ingress/single-cluster/ing...

abdelfettah

Check also this doc https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features

to make sure your Cluster version support the FronendConfig objects

muyaszed

@abdelfettah just a quick question, is the SSL Policy the same with the google managed certificate I've created before.

Thanks

muyaszed

Ok no worries I already get it . Thanks anyway