I'm setting up the ingress for my GKE cluster, everything works but I think I'm missing something here.
The google tutorial states that we need to reserve an external static IP and add A record in our domain to point to such IP, then define both IP and certificate in the ingress rule.
Why can't we just point the domain to the load balancer IP?
Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs?hl=th
I think we have some misconceptions here. Let me explain a little bit more.
Your question shows nothing that you are using nginx-ingress
. There is nothing besides a tag that is acknowledging it. Please update your question with information which controller you are actually using.
It's important because gke-ingress
and nginx-ingress
are 2 different resources. The guide that you are referencing is specific to gke-ingress
. Annotations used there will not work with nginx-ingress
. If you were following the guide step by step you used a gke-ingress
and not nginx-ingress
.
According to question in the title:
Why google-managed SSL certificate requires domain DNS to point to a static IP address instead of the load balancer itself?
The static IP address mentioned is a reserved resource and it's specifically created not to change.
This IP address will be used with a Ingress
resource with your GKE
cluster. This will ensure that the Ingress
resource will always have the same IP address and your domain will always point to it.
Deletion of your Ingress
resource when it was created without a static ip address can lead to situation that a recreated Ingress
will have a different IP address.
From above explanation: You can point with your domain name to an IP address that is no longer associated with your Ingress
resource because your Ingress
has another IP address.
GCP operate on 2 types of IP addresses:
Please take a look on official documentation about IP addresses on GCP: Cloud.google.com: Compute: IP addresses
Additionally there is an article which shows the differences between service object of type LoadBalancer
and Ingress
resource.
Please let me know if you have any questions in that.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.