Updated on 2024-11-12 GMT+08:00

Configuring gRPC Backend Services for a LoadBalancer Ingress

Ingresses can interconnect with backend services of different protocols. By default, the backend proxy channel of an ingress is HTTP-compliant. To create a gRPC channel, add the following configuration to the annotations field:

kubernetes.io/elb.pool-protocol: grpc

This function depends on ELB listeners and is available only in certain regions. Obtain these regions on the CCE console. For details about the regions where this function is supported, see Elastic Load Balance Function Overview.

Prerequisites

  • A CCE standard or Turbo cluster is available, and the cluster version meets the following requirements:
    • v1.23: v1.23.10-r20 or later
    • v1.25: v1.25.5-r20 or later
    • v1.27: v1.27.2-r20 or later
    • v1.28: v1.28.1-r0 or later
    • Other clusters of later versions
  • An available workload has been deployed in the cluster for external access. If no workload is available, deploy a workload by referring to Creating a Deployment, Creating a StatefulSet, or Creating a DaemonSet.
  • A Service for external access has been configured for the workload. Services Supported by LoadBalancer Ingresses lists the Service types supported by LoadBalancer ingresses.
  • You can obtain a trusted certificate from a certificate provider. For details, see Purchasing an SSL Certificate.

Notes and Constraints

  • Ingresses can interconnect with gRPC backend services only when dedicated load balancers are used.
  • When an ingress interconnects with a gRPC backend service, the ingress protocol must be HTTPS and HTTP/2 must be enabled.

Configuring a gRPC Backend Service

You can configure a gRPC backend Service for an ingress using either the CCE console or kubectl.

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. Choose Services & Ingresses in the navigation pane, click the Ingresses tab, and click Create Ingress in the upper right corner.
  3. Configure ingress parameters.

    This example explains only key parameters for configuring gRPC backend Services. You can configure other parameters as required. For details, see Creating a LoadBalancer Ingress on the Console.

    Table 1 Key parameters

    Parameter

    Description

    Example

    Name

    Enter an ingress name.

    ingress-test

    Load Balancer

    Select a load balancer to be associated with the ingress or automatically create a load balancer. In this example, only dedicated load balancers are supported.

    Dedicated

    Listener

    • External Protocol: Select HTTPS for a gRPC backend Service for an ingress.
    • External Port: specifies the port of the load balancer listener. The default HTTPS port is 443.
    • Certificate Source: Select ELB server certificate.
    • Server Certificate: Use a certificate created on ELB.

      If no certificate is available, go to the ELB console and create one. For details, see Adding a Certificate.

    • Backend Protocol: Select GRPC.
    NOTE:

    Only dedicated load balancers support gRPC, and HTTP/2 must be enabled. After HTTP/2 is enabled, CCE will automatically add the kubernetes.io/elb.http2-enable:true annotation.

    gRPC is available only in certain regions. Obtain these regions on the CCE console.

    • External Protocol: HTTPS
    • External Port: 443
    • Certificate Source: ELB server certificate
    • Server Certificate: cert-test
    • Backend Protocol: GRPC

    Forwarding Policy

    • Domain Name: Enter an actual domain name to be accessed. If it is left blank, the ingress can be accessed through the IP address. Ensure that the domain name has been registered and licensed. Once a forwarding policy is configured with a domain name specified, you must use the domain name for access.
    • Path Matching Rule: Select Prefix match, Exact match, or RegEx match.
    • Path: Enter the path provided by a backend application for external access. The path added must be valid in the backend application, or the forwarding cannot take effect.
    • Destination Service: Select an existing Service or create a Service. Any Services that do not match the search criteria will be filtered out automatically.
    • Destination Service Port: Select the access port of the destination Service.
    • (Optional) Set ELB: Set the health check protocol to gRPC. Click Customize, enable health check, and select GRPC.
    • Domain Name: You do not need to configure this parameter.
    • Path Matching Rule: Prefix match
    • Path: /
    • Destination Service: nginx
    • Destination Service Port: 80
    Figure 1 Configuring a gRPC backend Service
    Figure 2 Setting the health check protocol to gRPC

  4. Click OK.
  1. Use kubectl to access the cluster. For details, see Connecting to a Cluster Using kubectl.
  2. Create a YAML file named ingress-test.yaml. The file name can be customized.

    vi ingress-test.yaml

    An example YAML file of an ingress associated with an existing load balancer is as follows:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: ingress-test
      namespace: default
      annotations:
        kubernetes.io/elb.port: '443'
        kubernetes.io/elb.id: <your_elb_id>    # In this example, an existing dedicated load balancer is used. Replace its ID with the ID of your dedicated load balancer.
        kubernetes.io/elb.class: performance
        kubernetes.io/elb.pool-protocol: grpc  # Interconnected gRPC backend service
        kubernetes.io/elb.http2-enable: 'true' # Enable HTTP/2.
        kubernetes.io/elb.tls-ciphers-policy: tls-1-2
    spec:
      tls: 
        - secretName: ingress-test-secret
      rules:
        - host: ''
          http:
            paths:
              - path: '/'
                backend:
                  service:
                    name: <your_service_name>  # Replace it with the name of your target Service.
                    port:
                      number: 80
                property:
                  ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
                pathType: ImplementationSpecific
      ingressClassName: cce

  3. Create an ingress.

    kubectl create -f ingress-test.yaml

    If information similar to the following is displayed, the ingress has been created:

    ingress/ingress-test created

  4. Check the created ingress.

    kubectl get ingress

    If information similar to the following is displayed, the ingress has been created:

    NAME          CLASS    HOSTS     ADDRESS          PORTS   AGE
    ingress-test  cce      *         121.**.**.**     80      10s