### Cloud Ingress for GKE<br>

***

<br>

**Ingress for GKE**<br>

an object within GKE that define rules for routing traffic to specific services<br>
<br>

**Ingress**<br>

Ingress object defines rules for routing HTTP(S) traffics to apps running in the cluster<br>
Ingress object is associated with 1 or more Service objects, each of it is associated with set of pods<br>

when you create an Ingress object, GKE ingress controller creates a Cloud HTTP(S) Loadbalancer<br>
and configures it according to the information in the ingress<br>
and it's associated services<br>

GKE ingress is a built-in, managed ingress controller.<br>
this controller implements ingress resources, as Google Cloud Loadbalancers for HTTP(S) workloads in GKE<br>

Loadbalancer is given a stable IP that you can associate with a domain name<br>
each external HTTP(S) loadbalancer or internal HTTP(S) loadbalancer uses a single URL map, which references 1 or more backend services<br>

1 backend service corresponds to each service referenced by the ingress<br>

User -> websitename.co -> HTTP(S) Loadbalancer -> Ingress (/products /discontinued) -> /products Service port 80 -> Node1<br>

Ingress is a powerful way to expose your services, but can be very complex<br>
as there are many types of ingress to choose from + along with plugins for ingress controllers<br>

Ingress is most useful and cost effective if you want to expose multiple services under the same IP<br>
as you only pay for 1 load balancer, if you're using native GCP integration, it comes with features<br>

In [None]:
# ingress.yaml
apiVersion: netwokring.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-net
spec:
  rules:
  - http:
      paths:
      - path: /*
        backend:
          serviceName: products # one path direct traffics to products-service.yaml
          servicePort: 80
      - path: /discontinued
        backend:
          serviceName: discontinued # other path direct traffics to discontinued-service.yaml
          servicePort: 80

**Network Endpoint Group (NEG)**<br>

configuration object, that specifies group of backend endpoints for services<br>
NEGs are useful for container native loadbalancing, where each container can be represented as an endpoint to loadbalancer<br>
NEGs are used to track pod endpoints dynamically<br>

Google Loadbalancers can route traffic to an appropriate backends<br>
traffic is loadbalanced from loadbalancer directly to the pod IP, opposed to traversing VM IP and kube-proxy networking<br>
in this conditions, services will be annotated automatically, indicating that NEG should be created to mirror the pod IP within the service<br>
NEG is what allows Compute Engine loadbalancers to communicate directly with pods<br>

Diagram here is an ingress to Compute Engine resource mappings of the manifest<br>
User -traffic-> (kind: INGRESS) IP address (Global Load Balancer) -> Forwarding Rule -> Target HTTP Proxy<br>
-> URL Map -> Backend Service /product, /discontinued -> (kind: SERVICE) Network Endpoint Group(NEG) -> Pod IP<br>

Where GKE ingress controller deploys and manages Compute Engine loadbalancer resources<br>
based on the ingress resources that are deployed in the cluster<br>

**Health Checks**<br>

Default and inferred parameters are used if there are no specified health check parameters<br>
health check parameters for backend service should be explicitly defined by using a backend config, **custom resource definition(CRD)**<br>
- anthos ingress controller<br>
- more than 1 container<br>
- specific port for LB health check<br>

Backend service's health check<br>
- healthCheck parameter of a BackendConfig CRD referenced by service<br>
<br>

**SSL Certificate**<br>

Loadbalancer<br>

**Google-managed certificate**<br>
- completely managed by Google<br>
- do not support wildcard domains<br>

**Self-managed**<br>
- managed and shared with Google Cloud<br>
- provision your own certificates<br>
- list the certificates in annotation for use<br>

**Self-managed as Secrets**<br>
- Provision your own certificates<br>
- Create a secret to hold the certificate<br>
- Refer to the secret for use<br>

Multiple certificates: specify in Ingress manifest<br>
<br>