Use Google Kubernetes Engine Ingress for Application Load Balancers

You can use a cluster-level ingress controller to route traffic to an ArcGIS Enterprise deployment on Google Kubernetes Engine (GKE). For more information, see Cluster-level ingress controllers.

The Classic Application Load Balancer created by this workflow will terminate both active and idle WebSocket connections after the expiration of the backend service timeout value. This can interrupt connections from clients using capabilities that require WebSocket connections, such as workflow management services or notebook services. While terminated WebSocket connections can be reestablished, timeout errors returned by client applications can interrupt user workflows. See the Google Cloud Platform documentation for more information.

Before creating a cluster-level ingress controller, evaluate whether the benefits of this option outweigh potential disruption to WebSocket connections for your organization. If it is important to maintain open WebSocket connections, create a LoadBalancer service when you run the deployment script for ArcGIS Enterprise on Kubernetes instead of using a cluster-level ingress controller.

Note:

Complete this workflow before creating an ArcGIS Enterprise organization. You can access ArcGIS Enterprise Manager in a browser after you deploy and configure a load balancer.

Prerequisites

Review the general prerequisites and ensure the following GKE-specific prerequisites are met:

• You must have created a cluster in GKE.

• The HTTP Load Balancing add-on must be enabled on your cluster.

• Kubectl must be installed on your client machine. Ensure that you can connect and issue commands to the Kubernetes API Server that is associated with the created cluster.

• The Google Cloud Platform CLI must be installed on your client machine. Ensure that you can authenticate to the project in which your GKE cluster exists.

• You must have created a self-managed certificate within your Google Cloud project. Once the certificate exists within your project, take note of its name. Alternatively, this certificate can be specified within a Kubernetes Secret for later use, which will need to be created within the deployment namespace.

Add annotations to the in-cluster ingress controller service

Add annotations to the in-cluster ingress controller service following the initial deployment of ArcGIS Enterprise on Google Kubernetes Engine.

1. Run the following command to add an annotation to the deployed service that will ensure that TLS communication is used:

   kubectl annotate svc arcgis-ingress-nginx -n <namespace> cloud.google.com/app-protocols='{"https":"HTTPS"}'

2. Add an additional annotation to the in-cluster controller service to configure a health check for your organization.

You can use BackendConfig CRD for this step.

1. Copy and save the following YAML data to a text editor on your client workstation.

   In this example, the file is saved as backendconfig.yaml.

   apiVersion: cloud.google.com/v1
   kind: BackendConfig
   metadata:
     name: my-backendconfig
     namespace: <deploymentNamespace>
   spec:
     timeoutSec: 600
     healthCheck:
       type: HTTPS
       requestPath: /<context>/admin
       port: 443
   

   Note:

   Additional health check parameters can be added to the BackendConfig object YAML to suit organizational needs. To understand the additional health check parameters that can be added to the BackendConfig spec, see the Google Cloud documentation. You will need to update the value for context within the requestPath field to match the context path that was specified during deployment.

2. Create the BackendConfig object using the following command:

   kubectl apply -f backendconfig.yaml

3. Annotate the in-cluster ingress controller service with the following annotation:

   kubectl annotate svc arcgis-ingress-nginx -n <namespace> cloud.google.com/backend-config='{"default": "my-backendconfig"}'

   This ensures that the previously created health check is used by the load balancer deployed by the GKE ingress controller.

Create the Ingress object

Now that the annotations have been added to the in-cluster ingress controller service, create the Ingress object using the following steps:

1. Open the template included in the layer-7-templates folder or copy the following example to a file on your client machine:

   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: arcgis-enterprise-ingress
     namespace: <deploymentNamespace>
     annotations:
       kubernetes.io/ingress.class: "gce"
       kubernetes.io/ingress.allow-http: "false"
       ingress.gcp.kubernetes.io/pre-shared-cert: "<certificateName>"
     labels:
       id: custom-ingress-resource
   spec:
     defaultBackend:
       service:
         name: arcgis-ingress-nginx
         port:
           number: 443
     rules:
     - host: <deploymentFQDN>
       http:
         paths:
         - path: /<context>
           pathType: Prefix
           backend:
             service:
               name: arcgis-ingress-nginx
               port:
                 number: 443
   

2. Replace the following values:

   • certificateName—Provide the name of the newly uploaded certificate.

   • deploymentFQDN—Provide the fully qualified domain name that was specified during deployment.

   • namespace—Provide the namespace in which you have deployed ArcGIS Enterprise on Kubernetes.

   • context—Provide the context that was specified during deployment.

3. Save the file to your client workstation.

   For example, ingress.yaml.

4. Create the Ingress object by doing one of the following:

   • Apply Ingress YAML data to your cluster using the following command:

     kubectl apply -f ingress.yaml

   • When running the deployment script silently, set CLUSTER_INGRESS_CONTROLLER_YAML_FILENAME to the location of the Ingress YAML file.

Once you complete this workflow, an Ingress object called arcgis-enterprise-ingress is created. Upon creating this Ingress object, the GKE Ingress Controller provisions an Application Load Balancer in your Google Cloud project. It also creates an associated network endpoint group that contains the backend in-cluster NGINX ingress controller pod IP address. Your ArcGIS Enterprise deployment is accessible after the load balancer is created. You can then create an A record that directs clients from the fully qualified domain name specified during the initial deployment to the provisioned load balancer.

Note:

The arcgis-ingress-controller deployment may need to be refreshed to make a proper connection through the newly created Ingress. If you receive an error when accessing ArcGIS Enterprise Manager after creating the ingress, try running the following:

kubectl rollout restart deployment/arcgis-ingress-controller -n <deploymentNamespace>