Ambassador with Google Kubernetes Engine(GKE)
Gateway provides a single endpoint or URL for the client apps and then internally maps the requests to a group of internal microservices. There are lots of popular gateways out there & you all are thinking that why we use Ambassador so before moving forward where we learn about how to setup ambassador in GKE, let’s see why Ambassador?
First of all, If you want to Code, ship, and run apps for Kubernetes faster and easier using an integrated open source experience, then you should think for Ambassador.
“Ambassador is an open-source and Kubernetes-native API Gateway built on the Envoy Proxy for cloud-native applications that routes traffic between heterogeneous services and maintains decentralized workflows”
It can be useful in the following ways:
- Ambassador is a way through which we can manage the boundaries between end-users and Kubernetes.
- Ambassador can be used to publish, monitor, and update services for end-users.
- Enlightened ways to manage your traffic include load balancing, circuit breakers, rate limits, and automatic retries.
- It has various management abilities for developers to have a declarative management tool built on Kubernetes Custom Resource Definitions(CRD) for enabling GitOps-style continuous delivery workflows.
- Ambassador uses Kubernetes for endurance, so there is no need to manage and maintain a database.
- Ambassador uses Kubernetes liveness and readiness probes, so Kubernetes takes care of it by automatically restarting Ambassador if it detects an issue.
So, If you are using microservices on Kubernetes whether it may be on any public Cloud or On-premises, or Hybrid Cloud, you need to load Balance your traffic in one or another way. Ambassador Edge Stack helps you to route traffic to your services running in Kubernetes. Ambassador Edge Stack configuration is comprised of policies. A policy can be defined in a way where you just have to declare the intention/end result of the program, instead of how it should arrive at the end.
In this article, we’re going to learn about how to set up & configure Ambassador Gateway in GKE with some sample deployment routing examples.
Step 1. Creating a cluster in Google Cloud Platform
Setting up our cluster zone
gcloud config set compute/zone <your preferred zone>Creating cluster in our desired zone
gcloud container clusters create <your cluster name> --network <your vpc network name> --subnetwork <your vpc subnet name>Authorization of cluster in a terminal so that we can work on it
gcloud container clusters get-credentials <your cluster name> --zone <your preferred zone> --project <your project ID>Creating a namespace to deploy all the resources. Here I’m creating emissary namespace which by default deployment environment of Ambassador stack.
kubectl create ns emissaryTo set emissary namespace as your default workspace
kubectl config set-context --current --namespace=emissaryNow, It’s time to deploy an application. I’m going to deploy a simple nginx container for this demo
Create a sample-demo.yaml file & paster the below code
To apply the configuration file please run the following command
kubectl apply -f sample-demo.yamlYou will see your deployment & their service will be created, To verify
kubectl get allYour deployment & their service is now deployed & running so it’s time to expose the service to the outside world.
Create a sample-demo-ingress.yaml file & paste the below command
Apply the configuration file
kubectl apply -f sample-demo-ingress.yamlTo check your ingress status
kubectl get ingressYou’ll see the similar output
Please wait for a few minutes to get the external IP of the ingress. As you can see the external IP in your ingress just hit in the browser, you’ll see the default sample-demo page.
Our base application is ready, Now it’s time to install Ambassador
Step 2. Installation
There are many ways to install the Ambassador stack but here I’m using the YAML method. Here Emissary is the backend of the ambassador Stack.
For other methods please go through this link
kubectl apply -f https://app.getambassador.io/yaml/emissary/latest/emissary-crds.yaml && \kubectl wait --for condition=established --timeout=90s crd -lapp.kubernetes.io/name=ambassador && \kubectl apply -f https://app.getambassador.io/yaml/emissary/latest/emissary-ingress.yaml && \kubectl -n emissary wait --for condition=available --timeout=90s deploy -lproduct=aes
You’ll see similar output in your terminal
Step 3. Routing traffic from the edge
To route all traffic from the cluster to the ambassador service, we need to create a listener
To test our Ambassador emissary is perfectly installed or not we’ll deploy a sample deployment from the official docs
Apply the YAML for the “Quote of the Moment” service.
kubectl apply -f https://app.getambassador.io/yaml/v2-docs/latest/quickstart/qotm.yamlCopy the configuration below and save it to a file called quote-backend.yaml so that you can create a Mapping on your cluster. This Mapping tells Emissary-ingress to route all traffic inbound to the /backend/ path to the quote Service.
Apply the configuration to the cluster
kubectl apply -f quote-backend.yamlWith our Mapping created, now we need to access it so store the Emissary-ingress load balancer IP address to a local environment variable. You will use this variable to test access to your service.
export LB_ENDPOINT=$(kubectl -n emissary get svc emissary-ingress \-o “go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}”)
Test the configuration by accessing the service through the Emissary-ingress load balancer
curl -i http://$LB_ENDPOINT/backend/You’ll see the similar output
Okay, So our Ambassador stack is successfully installed, Now we’re going to attach it to our previously created ingress.
For that let’s create an Ambassador service & then we’ll attach it to our ingress so that whenever any request comes it will serve by the ambassador.
Create ambassador.yaml file & paste the below snippet
To apply the configuration
kubectl apply -f ambassador.yamlNow, As explained above we’re going to configure our ingress so that it serves the ambassador service, which we’ve just created.
Edit your sample-demo-ingress.yaml file so that it looks similar to this
To apply the changes
kubectl apply -f sample-demo-ingress.yamlNow, our ingress is serving. Let’s map our sample-demo application to the ambassador. To do this create a sample-demo-mapping.yaml file & paste the below snippet
To apply the changes
kubectl apply -f sample-demo-mapping.yamlNote: You can create more such deployment as per your application need & map it to the ambassador by following the same.
Now if you hit the IP of your Ingress in the browser you’ll see the default sample-demo page which is serving via ambassador.
If you see your ingress’s backend is not healthy then let’s create a custom health check.
Create a file backendconf.yaml for configuring your health check for the backend & paste the below snippet
Let’s apply this to our cluster
kubectl apply -f backendconf.yamlAfter the creation of a health check, we need to apply this to our ambassador. To do this edit your ambassador.yaml file so that it looks like this.
To apply the changes
kubectl apply -f ambassador.yamlCongratulations, Your Ambassador setup is successfully done.
Optional
You can attach the domain to your external IP of ingress or Load Balancer & see your all paths are working in the browser.
To achieve this
Reserving our ingress IP -
VPC Network section -> left menu -> External IP Address -> filter (Enter you ingress IP) -> click reserve -> give it a name -> reserveNote - Please take note of your reserved IP name. We need this in the upcoming part.
Creating DNS Record -
Cloud DNS -> choose your domain -> add record set -> enter record URL of your choice (A record) -> enter your ingress ip to the Associated IP section -> create record
Attaching a certificate to our service. For creating a Google Managed certificate, create a file certificate.yaml & paste the snippet
To apply the configuration file
kubectl apply -f certificate.yamlThis will take some time to provision your SSL certificate so be patient. It takes 20 minutes to one hour. Until you can check the status of your certificate by running the below command
kubectl get managedcertificateNow it’s time to attach this to our ingress, open your sample-demo-ingress.yaml file & edit it like below
To apply the changes
kubectl apply -f sample-demo-ingress.yamlYou can see the status from your load balancer page from the GCP console as well as in the terminal.
Using terminal -
Using console -
Load balancing -> advanced menu -> certificate -> click on your certificate name (you can easily find it by your domain)After Provisioning, you’ll see like this
Congratulations, We’re done with our Ambassador on GKE. If you’ve any queries, you can reach out to me on LinkedIn
Please refer to the latest version of the ambassador using the following link
Happy Learning………
