[GLBC] Changing front-end configuration does not remove unnecessary target proxies/ssl-certs

[bowei]

From @tonglil on March 20, 2017 17:59

Porting this issue from contrib over: kubernetes-retired/contrib#1517.

There is no enforcement of the annotation kubernetes.io/ingress.allow-http: "false" when it is set to false, after previously being set to true or unset.

See during the edge hop:

• Checks annotation: https://github.com/kubernetes/ingress/blob/37bdb3952e090e50f44207ad0e54b1f2a4ef1055/controllers/gce/loadbalancers/loadbalancers.go#L598-L602
• Creates: https://github.com/kubernetes/ingress/blob/37bdb3952e090e50f44207ad0e54b1f2a4ef1055/controllers/gce/loadbalancers/loadbalancers.go#L619-L627

No deletion/cleanup enforcement happens if it is set to false.

Copied from original issue: kubernetes/ingress-nginx#468

[bowei]

From @nicksardo on April 21, 2017 19:7

No deletion/cleanup happens when removing the TLS section or pre-shared cert annotation. Will rename this to be more general.

[bowei]

From @nicksardo on April 24, 2017 18:41

Furthermore, if you disable TLS on an active ingress, then delete the ingress resource, the controller will fail to destroy resources. It doesn't try deleting the https forwarding rule or https target proxy, which means the URL map is still used.

[bowei]

From @montanaflynn on August 7, 2017 23:3

Any updates on this? We have a production ingress and are looking for a workaround.

[bowei]

From @nicksardo on August 7, 2017 23:19

@montanaflynn There's no fix yet.

You should be able to delete the HTTP forwarding rule and target proxy manually in the GCP Console. Highly recommend duplicating the issue in a test cluster and trying it out first.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[bluecmd]

It is still relevant, I just hit this today. /remove-lifecycle stale

[MichielDeMey]

Same issue here, changed to HTTPS only and the HTTP frontend was not deleted.
I deleted the HTTP frontend manually from the LB and that did not seem to have any side-effects on the traffic.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[metral]

Hitting this on v1.1.1

/remove-lifecycle stale

[nitrag]

Bump. Had to delete ingress, remove compute forwarding rule, wait, apply ingress. kubectl replace of ingress did not work.

[bowei]

/lifecycle frozen

[raelga]

Still happening, added kubernetes.io/ingress.allow-http: "false" and the HTTP Frontend was not deleted.

Cleaned manually after adding the annotation by updating the Ingress Load Balancer removing the HTTP Frontend. Eventually, the HTTP Target Proxy was deleted by GCP.

[stephen-dexda]

Until this reaches production please document the manual cleanup required (or link to this bug) at https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#disabling_http.