profile
viewpoint

Ask questionsKubernetes incorrectly warns with "invalid ingress configuration" when using the "allow-http: false" annotation

On GKE, creating an Ingress with a managed certificate and disabling http as described in Disabling HTTP via the annotation: kubernetes.io/ingress.allow-http: "false" generates a warning:

GKE v1.17.8-gke.17:

kubectl version |grep Server
Server Version: version.Info{Major:"1", Minor:"17+", GitVersion:"v1.17.8-gke.17", GitCommit:"cd7ca396c79d2e8f3fdb06c6865549770091d431", GitTreeState:"clean", BuildDate:"2020-07-20T22:12:03Z", GoVersion:"go1.13.9b4", Compiler:"gc", Platform:"linux/amd64"}

Steps to reproduce:

$ kubectl get -n frontend ingress 
No resources found in frontend namespace.
$ grep allow app/store/cluster/in-scope/namespaces/frontend/ingress.yaml 
    kubernetes.io/ingress.allow-http: "false"
$ kubectl -n frontend apply -f .../ingress.yaml 
ingress.networking.k8s.io/frontend created
$ kubectl -n frontend describe ingress frontend
Name:             frontend
Namespace:        frontend
Address:          34.120.228.7
Default backend:  default-http-backend:80 (10.4.1.11:8080)
Rules:
  Host        Path  Backends
  ----        ----  --------
  *           
              /*   frontend:80 (10.4.1.4:8080)
Annotations:  ingress.gcp.kubernetes.io/pre-shared-cert: mcrt-REDACTED
              ingress.kubernetes.io/backends: {"k8s-be-31403--REDACTED":"HEALTHY","k8s-be-31818--REDACTED":"HEALTHY"}
              ingress.kubernetes.io/https-forwarding-rule: k8s2-fs-888jw4sk-frontend-frontend-REDACTED
              ingress.kubernetes.io/https-target-proxy: k8s2-ts-888jw4sk-frontend-frontend-REDACTED
              ingress.kubernetes.io/ssl-cert: mcrt-REDACTED
              ingress.kubernetes.io/url-map: k8s2-um-888jw4sk-frontend-frontend-REDACTED
              kubernetes.io/ingress.allow-http: false
              kubernetes.io/ingress.global-static-ip-name: frontend-ext-ip
              networking.gke.io/managed-certificates: frontend
Events:
  Type     Reason  Age   From                     Message
  ----     ------  ----  ----                     -------
  Normal   ADD     97s   loadbalancer-controller  frontend/frontend
  Warning  Sync    54s   loadbalancer-controller  Error during sync: error running load balancer syncing routine: loadbalancer 888jw4sk-frontend-frontend-REDACTED does not exist: invalid ingress frontend configuration, please check your usage of the 'kubernetes.io/ingress.allow-http' annotation.
  Normal   CREATE  37s   loadbalancer-controller  ip: (REDACTED)

The warning message appears even when using the annotation as documented: " Warning Sync 54s loadbalancer-controller Error during sync: error running load balancer syncing routine: loadbalancer 888jw4sk-frontend-frontend-REDACTED does not exist: invalid ingress frontend configuration, please check your usage of the 'kubernetes.io/ingress.allow-http' annotation."

Contents of ingress.yaml:

$ cat app/store/cluster/in-scope/namespaces/frontend/ingress.yaml 
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: frontend
  annotations:
    kubernetes.io/ingress.global-static-ip-name: frontend-ext-ip
    kubernetes.io/ingress.allow-http: "false"
    networking.gke.io/managed-certificates: frontend
spec:
  rules:
  - http:
      paths:
        - path: "/*"
          backend:
            serviceName: frontend
            servicePort: 80

It does not appear to be related to the status of the ManagedCertificate:

$ kubectl -n frontend describe managedcertificates.networking.gke. frontend
Name:         frontend
Namespace:    frontend
Labels:       <none>
Annotations:  API Version:  networking.gke.io/v1beta2
Kind:         ManagedCertificate
Metadata:
  Creation Timestamp:  2020-08-12T18:35:56Z
  Generation:          4
  Resource Version:    443128
  Self Link:           /apis/networking.gke.io/v1beta2/namespaces/frontend/managedcertificates/frontend
  UID:                 REDACTED
Spec:
  Domains:
    store.REDACTED.com
Status:
  Certificate Name:    mcrt-REDACTED
  Certificate Status:  Active
  Domain Status:
    Domain:     store.REDACTED.com
    Status:     Active
  Expire Time:  2020-11-10T10:47:37.000-08:00
Events:         <none>

This is possibly related to #1001, however the WillNotConfigureFrontend event is not seen.

kubernetes/ingress-gce

Answer questions ledmonster

I got same issue, too.

useful!

Related questions

Controller not syncing LoadBalancer IP when certificate is invalid hot 1
problems with spdy/http2 for some urls - net::ERR_SPDY_PROTOCOL_ERROR net::ERR_INCOMPLETE_CHUNKED_ENCODING hot 1
GKE ingress stuck in creating after deploying ingress 1.11.5.gke.5 hot 1
load balancer controller out of sync with gcp and ingress annotations hot 1
Backends healthchecks and expected operation - ingress-gce hot 1
Changing class from gce-internal to gce leaves orphaned load balancers - ingress-gce hot 1
source:https://uonfu.com/
Github User Rank List