sargx digital garden

Ambassador

2 min read

https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador-with-gke/

https://hadoan.medium.com/deploy-a-secure-web-to-gcp-kubernertes-using-ambassador-api-gateway-and-google-managed-ssl-de66f053862

DEPLOY:

Reservar IP:

>> gcloud compute addresses create ambassador-address --global
 
Created [https://www.googleapis.com/compute/v1/projects/<your_project_id>/global/addresses/ambassador-address].
 
>> gcloud compute addresses describe ambassador-address --global
 
					address: <redacted_ip>
					addressType: EXTERNAL
					creationTimestamp: '20XX-XX-XXTXX:XX:XX.XXX-XX:00'
					description: ''
					id: '<redacted>'
					ipVersion: IPV4
					kind: compute#address
					name: ambassador-address
					networkTier: PREMIUM
					selfLink: https://www.googleapis.com/compute/v1/projects/<your_project_id>/global/addresses/ambassador-address
					status: RESERVED

Deploy: Nodeport + Certificate + Ingress + Live Probe

apiVersion: v1
kind: Service
metadata:
  name: ambassador-nodeport
  annotations:
    cloud.google.com/backend-config: '{"default": "ambassador-hc-config"}'
spec:
  type: NodePort
  ports:
   - port: 8080
     targetPort: 8080
  selector:
    app.kubernetes.io/name: ambassador
---
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: ambassador-certificate
spec:
  domains:
    - www.orasistest.com
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ambassador-ingress
  annotations:
    networking.gke.io/managed-certificates: ambassador-certificate
    kubernetes.io/ingress.global-static-ip-name: ambassador-address
    kubernetes.io/ingress.class: "gce"
 
spec:
  backend:
    serviceName: ambassador-nodeport
    servicePort: 8080
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: ambassador-hc-config
  namespace: ambassador
spec:
  # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features
  timeoutSec: 30
  connectionDraining:
    drainingTimeoutSec: 30
  logging:
    enable: true
    sampleRate: 1.0
  healthCheck:
    checkIntervalSec: 10
    timeoutSec: 10
    port: 8877
    type: HTTP
    requestPath: /ambassador/v0/check_alive

OBS:

If you are using a service like Cloudflare, then disable the Cloudflare proxy setting so that ping to the domain will give the actual IP of Ingress. THis will create the Google Managed SSL certificate correctly with 10 to 15 minutes.
 
Once the certificate is up, you can again enable Cloudflare proxy setting.

CRIAR MAPPINGS:

Criar mapping (substituir somente o que está entre <>):

apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: quote-backend
spec:
  prefix: /<prefix>/
  service: <service_name>.<service_namespace>.svc.cluster.local:<port>

LIST ALL MAPPINGS

kubectl get mapping --all-namespaces

🌱 Back to Garden

Graph View

Backlinks