Skip to content

Latest commit

 

History

History
58 lines (54 loc) · 2.51 KB

gclb-and-gke-and-istio.md

File metadata and controls

58 lines (54 loc) · 2.51 KB

Hold onto your butts:

  • Create pod + service + gateway + virtualservice deployment in GKE:
    • % kc apply -f helloworld.yaml # link
    • Gateway’s Port needs to use named-port:
      • port:
        • number: 30004
        • name: http-hello-world # <-- this is your named-port
        • protocol: HTTP
    • VirtualService route destination needs to use full FQDN due to cross-namespace naming:
      • destination:
        • host: helloworld.default.svc.cluster.local
        • port: number: 5000 # 5000 is the pod’s serving port, not the named-port
  • Create a loadbalancer:
    • Backend config
      • Backend service: create new backend service. 1 Instance group 1 Choose the IG(s) for each nodepool in your cluster 1 If using multi-zone, need to select all N (eg: 3) 1 Add a health check:
        • HTTP
        • /hello (or whatever path will work)
        • PORT! Not 80. Not the ingressgateway’s HTTP port.
          • Create a named-port
          • We used 30000 + N (where N is each VirtualService we expose)
          • In this case: 30004 1 Add an appArmor Security Policy (separately?)
        • Restrict IP range to our VPN / corp IPs.
    • host/path (easy)
      • Host: your hostname
      • Path: /*
      • -> the backend-service above
      • (really dont even have to do the above, as default path works)
    • Frontend config
      • Create a static IP (not ephemeral) for anycast
      • Point your DNS to that IP (once per hostname, ~one time job)
  • Healthchecks (still) won’t work yet. 0/1 healthy.
    • Add the 30000+N port to Istio ingressgateway
    • Add the 30000+N port
    • Add Firewall rule for the VPC
      • Target tag: gclb-target-pool
      • IP ranges: (these have to be typed into the UI one at a time, because JS)
        • 209.85.204.0/22
        • 209.85.152.0/22
        • 130.211.0.0/22
        • 35.191.0.0/16
      • tcp:30000+N (30004 in our case)
  • Still won’t work, as Istio hasn’t opened up the 30000+N port yet:
    • Add that named-port to istio-ingressgateway via helm values.yaml in Istio.Chart:
      • - port: 30004
      • name: http-hello-world # the same named-port
      • nodePort: 30004
    • helm upgrade istio "istio-1.0.2/install/kubernetes/helm/istio" --namespace istio-system -f values.yaml -f env/prod.yaml

I think there were a couple other things, like needing to use the exact name of the named-port (http-hello-world), but I forget where we did that now.

Not attempted yet: HTTPS