I am trying to create a deployment that can receive firewall logs. I have purchased a Google Cloud Domain.
I managed to run LimaCharlie Adapter without a Ingress (with LoadBalancer Service). After introducing the ingress I get error 502 Server Error: All backend services are in UNHEALTHY state.
This is a drawing of my wanted setup:
My source codes
kube-manifest/deployment-and-service.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: pa440-ekeberg-deployment
labels:
app: pa440-ekeberg
spec:
replicas: 1
selector:
matchLabels:
app: pa440-ekeberg
template:
metadata:
labels:
app: pa440-ekeberg
spec:
containers:
- name: pa440-ekeberg
image: europe-north1-docker.pkg.dev/collectorz/pa440-ekeberg-repo/pa440-ekeberg:latest
ports:
- containerPort: 8080
resources:
requests:
memory: "1Gi"
cpu: "500m"
ephemeral-storage: "1Gi"
limits:
memory: "1Gi"
cpu: "500m"
ephemeral-storage: "1Gi"
---
apiVersion: v1
kind: Service
metadata:
name: pa440-ekeberg-nodeport-service
labels:
app: pa440-ekeberg
annotations:
spec:
type: NodePort
selector:
app: pa440-ekeberg
ports:
- port: 80
targetPort: 8080
kube-manifests/ingress-ssl.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pa440-ekeberg-ingress-ssl
annotations:
# External Load Balancer
spec.ingressClassName: "gce"
# Static IP for Ingress Service
kubernetes.io/ingress.global-static-ip-name: "pa440-ekeberg-global-ip"
# Google Managed SSL Certificates
networking.gke.io/managed-certificates: pa440-ekeberg-managed-cert-for-ingress
spec:
defaultBackend:
service:
name: pa440-ekeberg-nodeport-service
port:
number: 80
kube-manifests/managed-certificate.yaml
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
name: pa440-ekeberg-managed-cert-for-ingress
spec:
domains:
- 1.mydomain.com
Dockerfile
# Specify Ubuntu
FROM ubuntu:latest
# Update
RUN apt-get update && apt-get install -y apt-utils file
RUN apt-get install -y ca-certificates
# Open port
EXPOSE 8080
# Download LimaCharlie Adapter (will download as file name "64" to /opt/64)
ADD https://downloads.limacharlie.io/adapter/linux/64 /opt/limacharlie/lc_adapter
RUN chmod +x /opt/limacharlie/lc_adapter
RUN echo Running!
CMD ["/opt/limacharlie/lc_adapter", "syslog", "client_options.identity.installation_key=a-b-c-d-e", "client_options.identity.oid=f-g-h-i-j", "client_options.platform=text", "client_options.hostname=fw-pa440-ekeberg-kubernetes", "client_options.sensor_seed_key=fw-pa440-ekeberg-kubernetes", "port=8080", "iface=0.0.0.0", "is_udp=false"]
My steps to deploy the app:
1. Create global IP:
gcloud compute addresses create pa440-ekeberg-global-ip --global
2 Create A record:
Go to Network services → Cloud DNS > mydomain.com > Add Standard
- DNS name: 1.mydomain.com
- Resource record type = A
- TTL: 5 minutes
- IPv4 Adress: The global IP
3 Create Repo:
gcloud artifacts repositories create pa440-ekeberg-repo --project=collectorz --repository-format=docker --location=europe-north1 --description=“Docker repository”
4 Build a new version:
gcloud builds submit --tag europe-north1-docker.pkg.dev/collectorz/pa440-ekeberg-repo/pa440-ekeberg .
5 Connect to cluster:
gcloud container clusters get-credentials autopilot-cluster-1 --region europe-north1 --project collectorz
6 Apply all:
kubectl apply -f kube-manifests
Results
Deployment: OK
Pods: Running
NodePort Service: OK
Ingress SSL: All backend services are in UNHEALTHY state
SSL Certificate (https://console.cloud.google.com/security/ccm/list/lbCertificates 
Active and in used by target https proxies.
What can I do to debug this?