Re: LoadBalancer SSL policy is not updated after h...

eternity · 11-29-2023 05:28 AM

I am applying the SSL policy using `FrontendConfig` in helm k8s
```
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: test-preview
spec:
sslPolicy: {{ .Values.frontendConfig.sslPolicy }}
```
ingress.yaml
```
# Source: test/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test
labels:
helm.sh/chart: test-0.1.0
app.kubernetes.io/name: test-preview
app.kubernetes.io/instance: test-preview
app.kubernetes.io/version: "stable"
app.kubernetes.io/managed-by: Helm
annotations:
cloud.google.com/load-balancer-type: External
ingress.gcp.kubernetes.io/pre-shared-cert: some-cert
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.global-static-ip-name: test-preview
networking.gke.io/v1beta1.FrontendConfig: test-preview
```
It is applied successfully, but when I remove annotation and frontendConfig the LoadBalancer itself does not change and still attached to this SSL policy, not to the default.
So the frontendConfig even does not exist, and Ingress does not have the `networking.gke.io/v1beta1.FrontendConfig` annotation.

Marvin_Lucero

Hi @eternity ,

Based from the details that you have provided, it seems you're encountering an issue where the LoadBalancer continues to use the SSL policy even after removing the FrontendConfig annotation and the FrontendConfig itself. This behavior might be due to the way GKE handles changes in the LoadBalancer configuration.

You can try doing the following

Make sure that you have performed a rolling update for the changes to take effect.

kubectl rollout restart deployment <your-deployment-name>
Verify the status of the LoadBalancer in GKE.

kubectl get services <your-service-name> -o wide

Look for the "EXTERNAL-IP" field to confirm that the LoadBalancer has updated.
Verify networking.gke.io/v1beta1.FrontendConfig annotation is removed from your Ingress resource.

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: your-ingress annotations: # Remove the following line networking.gke.io/v1beta1.FrontendConfig: "your-frontend-config" spec: ...
If the LoadBalancer still retains the SSL policy, you can try manually deleting the FrontendConfig resource:

kubectl delete frontendconfig your-frontend-config

Replace your-frontend-config with the actual name of your FrontendConfig resource.
Check the backend services associated with the LoadBalancer:

kubectl describe services <your-service-name>

Check if the backend service is correctly updated and does not reference the SSL policy.

Also, you can check this modified version of your Ingress YAML where the networking.gke.io/v1beta1.FrontendConfig annotation is removed:

# Source: test/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test
labels:
helm.sh/chart: test-0.1.0
app.kubernetes.io/name: test-preview
app.kubernetes.io/instance: test-preview
app.kubernetes.io/version: "stable"
app.kubernetes.io/managed-by: Helm
annotations:
cloud.google.com/load-balancer-type: External
ingress.gcp.kubernetes.io/pre-shared-cert: some-cert
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.global-static-ip-name: test-preview
# Remove the following line
networking.gke.io/v1beta1.FrontendConfig: "test-preview"

Then to apply:

kubectl apply -f your-modified-ingress.yaml

After applying this change, the Ingress should no longer reference the FrontendConfig, and the load balancer should revert to the default behavior. Remember to perform a rolling update if necessary.

Let me know if this helps.

eternity

Hello, thank you for the answer, I can confirm, that annotation is removed from Ingress config and FrontendConfig resource does not exist, but when I am going into the GCP Console I can see that SSL policy still attached to the LB.

LoadBalancer SSL policy is not updated after helm changes GCP