Reputation: 1
Nginx Fabric Gateway API controller installed with service type ClusterIP exposed through a GCP Global ALB
regarding bellow information I want to have HTTPS traffic to Gateway API controller deployment.
have GKE cluster, GCP Global Application Loadbalancer (GALB). within GKE I installed Nginx Fabric Gateway API Controller through Helm.Installation with Helm
service annotation passed through helm value: cloud.google.com/neg: '{"exposed_ports": {"443":{"name": "CLUSTER-NAME-nginx-gateway-443-neg"}}}'
the same Network Endpoint Group name referred in GCP Backend service attached to GALB. Google managed Certificate used in GALB as TLS termination for My-Host hostname. Google DNS A record defined which points to GALB External IP (My-Host). My-Host is FQDN.
- GKE version: 1.26.x
- installed the Gateway API resources for stable version 1.0.0
- following extra resources created in GKE:
- gateway resource listen on port 80
- httproute to send requests starting with /gw/ to backend
- backend deployment and service
Result: I can achieve the kubernetes backend service through
https://My-Host/gw/
apparently the traffic will be terminated on GALB and it passes plaintext to Gateway API Controller.
now I have created
- self signed certificate chains. it has three level from root to leaf which is used for individual namespaces. the certificate terminates *.Gateway API controller namespace.svc
- created a referent as I created secret in another namespace than application
- changed gateway to listen both on 80 and 443
- added httproute to redirect from 80 to 443
with these changes
I am able to call application from another pod by calling Nginx Gateway API controller deployment service:
curl -L http://Gateway API controller service.Gateway API controller namespace.svc/gw/
and I see redirect happens by using -I flag.
anyhow my issue is that by calling app from outside
curl -L https://My-Host/gw/
I get following error
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268436568:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNRECOGNIZED_NAME:TLS_error_end:TLS_error_end
searched many say it is possibly related to Host Name is not covered by certificate. don't have any clue how to debug.
logging is enabled on GCP Backend logging level is debug in Nginx config map
I see a record in stack driver which does no0t contain useful info related to error in Gateway API controller deployment log I do not see anything
Upvotes: 0
Views: 32
Answers (0)
Related Questions
- Connect external HTTPS load balancer with NGINX Ingress exposed as zonal NEG
- GKE Gateway for load balancing creates wrong health check path
- How to use Gateway API with Kong on GKE?
- GKE Gateway API httproute not working for https between load balancer and application
- GCP external HTTP Cloud Load Balancer with nginx-ingress on GKE
- GCP Classic Load Balancer route to external URL
- How do I map external traffic to the internal service mesh on GCP Traffic Director?
- GCP Load Balancing with API Gateway returning 404