Using Envoy to load-balance gRPC services on GKE

This repository contains the code used in the tutorial Using Envoy Proxy to load-balance gRPC services on GKE.

The tutorial demonstrates how to expose multiple gRPC services deployed on Google Kubernetes Engine (GKE) via a single external IP address using External TCP/UDP Network Load Balancing and Envoy Proxy. The tutorial uses Envoy Proxy to highlight some of the advanced features it provides for gRPC.

Quick start

1. Create a self-signed TLS certificate and private key:

   openssl req -x509 -newkey rsa:4096 -nodes -sha256 -days 365 \
       -keyout privkey.pem -out cert.pem -extensions san \
       -config \
       <(echo "[req]";
         echo distinguished_name=req;
         echo "[san]";
         echo subjectAltName=DNS:grpc.example.com
        ) \
       -subj '/CN=grpc.example.com'

2. Create a Kubernetes Secret called envoy-certs that contains the self-signed TLS certificate and private key:

   kubectl create secret tls envoy-certs --key=privkey.pem --cert=cert.pem \
       --dry-run=client --output=yaml | kubectl apply --filename -

3. Build the container images for the sample apps echo-grpc and reverse-grpc, push them to a registry, and deploy them to a Kubernetes cluster, using Skaffold:

   skaffold run \
       --default-repo=gcr.io/$(gcloud config get-value core/project) \
       --module=echo-grpc,reverse-grpc \
       --skip-tests

4. Deploy Envoy to the Kubernetes cluster:

   skaffold run \
       --digest-source=none \
       --module=envoy \
       --skip-tests

Test the solution

1. Install grpcurl:

   go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest

   If you don't have the Go distribution installed, you can instead download a binary release.

2. Get the external IP address of the envoy Kubernetes Service and store it in an environment variable:

   EXTERNAL_IP=$(kubectl get service envoy \
       --output=jsonpath='{.status.loadBalancer.ingress[0].ip}')

3. Send a request to the echo-grpc sample app:

   grpcurl -d '{"content": "echo"}' -proto echo-grpc/api/echo.proto \
       -authority grpc.example.com -cacert cert.pem -v \
       $EXTERNAL_IP:443 api.Echo/Echo

4. Send a request to the reverse-grpc sample app:

   grpcurl -d '{"content": "reverse"}' -proto reverse-grpc/api/reverse.proto \
       -authority grpc.example.com -cacert cert.pem -v \
       $EXTERNAL_IP:443 api.Reverse/Reverse

Cleaning up

1. Delete the Kubernetes resources:

   skaffold delete
   
   kubectl delete secret tls envoy-certs

2. Delete the container images from Container Registry:

   gcloud container images list-tags gcr.io/$(gcloud config get-value core/project)/echo-grpc \
       --format 'value(digest)' | xargs -I {} gcloud container images delete \
       --force-delete-tags --quiet gcr.io/$(gcloud config get-value core/project)/echo-grpc@sha256:{}
   
   gcloud container images list-tags gcr.io/$(gcloud config get-value core/project)/reverse-grpc \
       --format 'value(digest)' | xargs -I {} gcloud container images delete \
       --force-delete-tags --quiet gcr.io/$(gcloud config get-value core/project)/reverse-grpc@sha256:{}

Disclaimer

This is not an officially supported Google product.