Use Google Kubernetes Engine Ingress for Application Load Balancers

A cluster-level ingress controller can be used to route traffic to an ArcGIS Enterprise deployment on Google Kubernetes Engine (GKE). For more information, see Cluster-level ingress controllers.

Note:

This workflow should be performed prior to creating an ArcGIS Enterprise organization. ArcGIS Enterprise Manager can be accessed from a browser once a load balancer has been deployed and configured.

Prerequisites

Review the general prerequisites and ensure the following GKE-specific prerequisites are met:

  • You must have created a cluster in GKE.
  • The HTTP Load Balancing add-on must be enabled on your cluster.
  • Kubectl must be installed on your client machine. Ensure that you can connect and issue commands to the Kubernetes API Server that is associated with the created cluster.
  • The Google Cloud Platform CLI must be installed on your client machine. Ensure that you can authenticate to the project in which your GKE cluster exists.
  • You must have created a self-managed certificate within your Google Cloud project. Once the certificate exists within your project, take note of its name. Alternatively, this certificate can be specified within a Kubernetes Secret for later use, which will need to be created within the deployment namespace.

Add annotations to the in-cluster ingress controller service

Add annotations to the in-cluster ingress controller service following the initial deployment of ArcGIS Enterprise on Google Kubernetes Engine.

  1. Run the following command to add an annotation to the deployed service that will ensure that TLS communication is used:
    kubectl annotate svc arcgis-ingress-nginx -n <namespace> cloud.google.com/app-protocols='{"https":"HTTPS"}'
    
  2. Add an additional annotation to the in-cluster controller service to configure a health check for your organization.

    This can be done using BackendConfig CRD.

    1. Copy and save the following YAML data to a text editor on your client workstation.

      In this example, the file is saved as backendconfig.yaml.

      apiVersion: cloud.google.com/v1
      kind: BackendConfig
      metadata:
        name: my-backendconfig
        namespace: <deploymentNamespace>
      spec:
        healthCheck:
          type: HTTPS
          requestPath: /<context>/admin
          port: 443
      

      Note:

      Additional health check parameters can be added to the BackendConfig object YAML to suit organizational needs. To understand the additional health check parameters that can be added to the BackendConfig spec, see the Google Cloud documentation. You will need to update the value for context within the requestPath field to match the context path that was specified during deployment.

    2. Create the BackendConfig object using the following command:
      kubectl apply -f backendconfig.yaml
      
    3. Annotate the in-cluster ingress controller service with the following annotation:
      kubectl annotate svc arcgis-ingress-nginx -n <namespace> cloud.google.com/backend-config='{"default": "my-backendconfig"}'
      
      This will ensure that the previously created health check is used by the load balancer that will be deployed by the GKE ingress controller.

Create the Ingress object

Now that the annotations have been added to the in-cluster ingress controller service, create the Ingress object using the following steps:

  1. Open the template included in the layer-7-templates folder or copy the following example to a file on your client machine:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: arcgis-enterprise-ingress
      namespace: <deploymentNamespace>
      annotations:
        kubernetes.io/ingress.class: "gce"
        kubernetes.io/ingress.allow-http: "false"
        ingress.gcp.kubernetes.io/pre-shared-cert: "<certificateName>"
      labels:
        id: custom-ingress-resource
    spec:
      defaultBackend:
        service:
          name: arcgis-ingress-nginx
          port:
            number: 443
      rules:
      - host: <deploymentFQDN>
        http:
          paths:
          - path: /<context>
            pathType: Prefix
            backend:
              service:
                name: arcgis-ingress-nginx
                port:
                  number: 443
    
  2. Replace the following values:
    • certificateName—Provide the name of the newly uploaded certificate.
    • deploymentFQDN—Provide the fully qualified domain name that was specified during deployment.
    • namespace—Provide the namespace in which you have deployed ArcGIS Enterprise on Kubernetes.
    • context—Provide the context that was specified during deployment.
  3. Save the file to your client workstation.

    For example, ingress.yaml.

  4. Create the Ingress object by doing one of the following:
    • Apply Ingress YAML data to your cluster using the following command:
      kubectl apply -f ingress.yaml
      
    • When running the deployment script silently, set CLUSTER_INGRESS_CONTROLLER_YAML_FILENAME to the location of the Ingress YAML file.

Once you complete this workflow, an Ingress object called arcgis-enterprise-ingress is created. Upon creating this Ingress object, the GKE Ingress Controller will provision an Application Load Balancer in your Google Cloud project. An associated network endpoint group will be created, which will contain the backend in-cluster NGINX ingress controller pod IP address. Once the load balancer has been created, your ArcGIS Enterprise deployment should be accessible, and an A record can be created that directs clients from the fully qualified domain name that was specified during the initial deployment to the provisioned load balancer.

Note:

The arcgis-ingress-controller deployment may need to be refreshed to make a proper connection through the newly created Ingress. If you receive an error when accessing ArcGIS Enterprise Manager after creating the ingress, try running the following:

kubectl rollout restart deployment/arcgis-ingress-controller -n <deploymentNamespace>