GKE
Google offers a L7 load balancer to leverage network services such as managed SSL certificates, SSL offloading or the Google content delivery network. A L7 load balancer in front of Emissary can be configured by hand or by using the Ingress-GCE resource. Using the Ingress resource also allows you to create Google-managed SSL certificates through Kubernetes.
With this setup, HTTPS will be terminated at the Google load balancer. The load balancer will be created and configured by the Ingress-GCE resource. The load balancer consists of a set of forwarding rules and a set of backend services. In this setup, the ingress resource creates two forwarding rules, one for HTTP and one for HTTPS. The HTTPS forwarding rule has the SSL certificates attached. Also, one backend service will be created to point to a list of instance groups at a static port. This will be the NodePort of the Emissary service.
With this setup, the load balancer terminates HTTPS and then directs the traffic to the Emissary service
via the NodePort
. Emissary is then doing all the routing to the other internal/external services.
Overview of steps
- Install and configure the ingress with the HTTP(S) load balancer
- Install Emissary
- Configure and connect Emissary to ingress
- Create an SSL certificate and enable HTTPS
- Create BackendConfig for health checks
- Configure Emissary to do HTTP -> HTTPS redirection
ambassador
will be running as a NodePort
service. Health checks will be configured to go to a BackendConfig resource.
0. Emissary
This guide will install Emissary. You can also install Ambassador Edge Stack. Please note:
- The ingress and the
ambassador
service need to run in the same namespace - The
ambassador
service needs to be of typeNodePort
and notLoadBalancer
. Also remove the line withexternalTrafficPolicy: Local
- Ambassador-Admin needs to be of type
NodePort
instead ofClusterIP
since it needs to be available for health checks
1 . Install and configure ingress with the HTTP(S) load balancer
Create a GKE cluster through the web console. Use the release channel. When the cluster is up and running follow this tutorial from Google to configure an ingress and a L7 load balancer. After you have completed these steps you will have a running L7 load balancer and one service.
2. Install Emissary
Follow the first section of the Emissary installation guide to install Emissary.
Stop before defining the ambassador
service.
Emissary needs to be deployed as NodePort
instead of LoadBalancer
to work with the L7 load balancer and the ingress.
Save the YAML below in ambassador.yaml and apply with kubectl apply -f ambassador.yaml
apiVersion: v1
kind: Service
metadata:
name: ambassador
spec:
type: NodePort
ports:
- port: 8080
targetPort: 8080
selector:
service: ambassador
You will now have an ambassador
service running next to your ingress.
3. Configure and connect ambassador
to the ingress
You need to change the ingress for it to send traffic to ambassador
. Assuming you have followed the tutorial, you should
have a file named basic-ingress.yaml. Change it to point to ambassador
instead of web:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: basic-ingress
spec:
backend:
serviceName: ambassador
servicePort: 8080
Now let’s connect the other service from the tutorial to ambassador
by specifying a Mapping:
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
name: web
namespace: default
spec:
hostname: "*"
prefix: /
service: web:8080
All traffic will now go to ambassador
and from ambassador
to the web
service. You should be able to hit your load balancer and get the output. It may take some time until the load balancer infrastructure has rolled out all changes and you might see gateway errors during that time.
As a side note: right now all traffic will go to the web
service, including the load balancer health check.
4. Create an SSL certificate and enable HTTPS
Read up on managed certificates on GKE. You need a DNS name and point it to the external IP of the load balancer.
certificate.yaml:
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: www-example-com
spec:
domains:
- www.example.com
Modify the ingress from before:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: basic-ingress
annotations:
networking.gke.io/managed-certificates: www-example-com
spec:
backend:
serviceName: ambassador
servicePort: 8080
Please wait (5-15 minutes) until the certificate is created and all edge servers have the certificates ready.
kubectl describe ManagedCertificate
will show you the status or go to the web console to view the load balancer.
You should now be able to access the web service via https://www.example.com
.
5. Configure BackendConfig for health checks
Create and apply a BackendConfig resource with a custom health check specified:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: ambassador-hc-config
namespace: ambassador
spec:
# https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features
timeoutSec: 30
connectionDraining:
drainingTimeoutSec: 30
logging:
enable: true
sampleRate: 1.0
healthCheck:
checkIntervalSec: 10
timeoutSec: 10
port: 8877
type: HTTP
requestPath: /ambassador/v0/check_alive
Then edit your previous ambassador.yaml
file to add an annotation referencing the BackendConfig and apply the file:
apiVersion: v1
kind: Service
metadata:
name: ambassador
annotations:
cloud.google.com/backend-config: '{"default": "ambassador-hc-config"}'
spec:
type: NodePort
ports:
- port: 8080
targetPort: 8080
selector:
service: ambassador
6. Configure Emissary to do HTTP -> HTTPS redirection
Configure Emissary to redirect traffic from HTTP to HTTPS. You will need to restart Emissary to effect the changes with kubectl rollout restart deployment ambassador
.
The result should be that http://www.example.com
will redirect to https://www.example.com
.
You can now add more services by specifying the hostname in the Mapping.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.