</code></pre></div></li><li><p>If you have a gRPC app deployed in your cluster, then skip further notes in this Step 1, and continue from Step 2 below.</p></li><li><p>As an example gRPC application, we can use this app <ahref=https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go>https://github.com/grpc/grpc-go/blob/91e0aeb192456225adf27966d04ada4cf8599915/examples/features/reflection/server/main.go</a>.</p></li><li><p>To create a container image for this app, you can use <ahref=https://github.com/kubernetes/ingress-nginx/blob/main/images/go-grpc-greeter-server/rootfs/Dockerfile>this Dockerfile</a>. </p></li><li><p>If you use the Dockerfile mentioned above, to create a image, then you can use the following example Kubernetes manifest to create a deployment resource that uses that image. If necessary edit this manifest to suit your needs.</p></li></ul><divclass=highlight><pre><span></span><code>cat <<EOF | kubectl apply -f -
</code></pre></div><h3id=step-2-create-the-kubernetes-service-for-the-grpc-app>Step 2: Create the Kubernetes <code>Service</code> for the gRPC app<aclass=headerlinkhref=#step-2-create-the-kubernetes-service-for-the-grpc-apptitle="Permanent link"> ¶</a></h3><ul><li>You can use the following example manifest to create a service of type ClusterIP. Edit the name/namespace/label/port to match your deployment/pod. <divclass=highlight><pre><span></span><code>cat <<EOF | kubectl apply -f -
</code></pre></div></li><li>You can save the above example manifest to a file with name <code>service.go-grpc-greeter-server.yaml</code> and edit it to match your deployment/pod, if required. You can create the service resource with a kubectl command like this:</li></ul><divclass=highlight><pre><span></span><code>$ kubectl create -f service.go-grpc-greeter-server.yaml
</code></pre></div><h3id=step-3-create-the-kubernetes-ingress-resource-for-the-grpc-app>Step 3: Create the Kubernetes <code>Ingress</code> resource for the gRPC app<aclass=headerlinkhref=#step-3-create-the-kubernetes-ingress-resource-for-the-grpc-apptitle="Permanent link"> ¶</a></h3><ul><li>Use the following example manifest of a ingress resource to create a ingress for your grpc app. If required, edit it to match your app's details like name, namespace, service, secret etc. Make sure you have the required SSL-Certificate, existing in your Kubernetes cluster in the same namespace where the gRPC app is. The certificate must be available as a kubernetes secret resource, of type "kubernetes.io/tls" https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. This is because we are terminating TLS on the ingress.</li></ul><divclass=highlight><pre><span></span><code>cat <<EOF | kubectl apply -f -
</code></pre></div><ul><li>If you save the above example manifest as a file named <code>ingress.go-grpc-greeter-server.yaml</code> and edit it to match your deployment and service, you can create the ingress like this:</li></ul><divclass=highlight><pre><span></span><code>$ kubectl create -f ingress.go-grpc-greeter-server.yaml
</code></pre></div><ul><li><p>The takeaway is that we are not doing any TLS configuration on the server (as we are terminating TLS at the ingress level, gRPC traffic will travel unencrypted inside the cluster and arrive "insecure").</p></li><li><p>For your own application you may or may not want to do this. If you prefer to forward encrypted traffic to your POD and terminate TLS at the gRPC server itself, add the ingress annotation <code>nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"</code>.</p></li><li><p>A few more things to note:</p></li><li><p>We've tagged the ingress with the annotation <code>nginx.ingress.kubernetes.io/backend-protocol: "GRPC"</code>. This is the magic ingredient that sets up the appropriate nginx configuration to route http/2 traffic to our service.</p></li><li><p>We're terminating TLS at the ingress and have configured an SSL certificate <code>wildcard.dev.mydomain.com</code>. The ingress matches traffic arriving as <code>https://grpctest.dev.mydomain.com:443</code> and routes unencrypted messages to the backend Kubernetes service.</p></li></ul><h3id=step-4-test-the-connection>Step 4: test the connection<aclass=headerlinkhref=#step-4-test-the-connectiontitle="Permanent link"> ¶</a></h3><ul><li>Once we've applied our configuration to Kubernetes, it's time to test that we can actually talk to the backend. To do this, we'll use the <ahref=https://github.com/fullstorydev/grpcurl>grpcurl</a> utility:</li></ul><divclass=highlight><pre><span></span><code>$ grpcurl grpctest.dev.mydomain.com:443 helloworld.Greeter/SayHello
</code></pre></div><h3id=debugging-hints>Debugging Hints<aclass=headerlinkhref=#debugging-hintstitle="Permanent link"> ¶</a></h3><ol><li>Obviously, watch the logs on your app.</li><li>Watch the logs for the ingress-nginx-controller (increasing verbosity as needed).</li><li>Double-check your address and ports.</li><li>Set the <code>GODEBUG=http2debug=2</code> environment variable to get detailed http/2 logging on the client and/or server.</li><li>Study RFC 7540 (http/2) <ahref=https://tools.ietf.org/html/rfc7540>https://tools.ietf.org/html/rfc7540</a>.</li></ol><blockquote><p>If you are developing public gRPC endpoints, check out https://proto.stack.build, a protocol buffer / gRPC build service that can use to help make it easier for your users to consume your API.</p><p>See also the specific gRPC settings of NGINX: https://nginx.org/en/docs/http/ngx_http_grpc_module.html</p></blockquote><h3id=notes-on-using-responserequest-streams>Notes on using response/request streams<aclass=headerlinkhref=#notes-on-using-responserequest-streamstitle="Permanent link"> ¶</a></h3><blockquote><p><code>grpc_read_timeout</code> and <code>grpc_send_timeout</code> will be set as <code>proxy_read_timeout</code> and <code>proxy_send_timeout</code> when you set backend protocol to <code>GRPC</code> or <code>GRPCS</code>.</p></blockquote><ol><li>If your server only does response streaming and you expect a stream to be open longer than 60 seconds, you will have to change the <code>grpc_read_timeout</code> to accommodate this.</li><li>If your service only does request streaming and you expect a stream to be open longer than 60 seconds, you have to change the <code>grpc_send_timeout</code> and the <code>client_body_timeout</code>.</li><li>If you do both response and request streaming with an open stream longer than 60 seconds, you have to change all three timeouts: <code>grpc_read_timeout</code>, <code>grpc_send_timeout</code> and <code>client_body_timeout</code>.</li></ol></article></div></div></main><footerclass=md-footer><divclass="md-footer-meta md-typeset"><divclass="md-footer-meta__inner md-grid"><divclass=md-copyright> Made with <ahref=https://squidfunk.github.io/mkdocs-material/target=_blankrel=noopener> Material for MkDocs </a></div></div></div></footer></div><divclass=md-dialogdata-md-component=dialog><divclass="md-dialog__inner md-typeset"></div></div><scriptid=__configtype=application/json>{"base":"../..","features":["navigation.tabs","navigation.tabs.sticky","navigation.instant","navigation.sections"],"search":"../../assets/javascripts/workers/search.f886a092.min.js","translations":{"clipboard.copied":"Copied to clipboard","clipboard.copy":"Copy to clipboard","search.result.more.one":"1 more on this page","search.result.more.other":"# more on this page","search.result.none":"No matching documents","search.result.one":"1 matching document","search.result.other":"# matching documents","search.result.placeholder":"Type to start searching","search.result.term.missing":"Missing","select.version":"Select version"}}</script><scriptsrc=../../assets/javascripts/bundle.aecac24b.min.js></script></body></html>
