</code></pre></div><p>This is a standard kubernetes deployment object. It is running a grpc service listening on port <code>50051</code>.</p><p>The sample application <ahref=https://github.com/kubernetes/ingress-nginx/tree/master/images/grpc-fortune-teller>fortune-teller-app</a> is a grpc server implemented in go. Here's the stripped-down implementation:</p><divclass=highlight><pre><span></span><code><spanclass=kd>func</span><spanclass=nx>main</span><spanclass=p>()</span><spanclass=p>{</span>
</code></pre></div><p>The takeaway is that we are not doing any TLS configuration on the server (as we are terminating TLS at the ingress level, grpc traffic will travel unencrypted inside the cluster and arrive "insecure").</p><p>For your own application you may or may not want to do this. If you prefer to forward encrypted traffic to your POD and terminate TLS at the gRPC server itself, add the ingress annotation <code>nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"</code>.</p><h3id=step-2-the-kubernetes-service>Step 2: the kubernetes <code>Service</code><aclass=headerlinkhref=#step-2-the-kubernetes-servicetitle="Permanent link"> ¶</a></h3><divclass=highlight><pre><span></span><code>$ kubectl create -f svc.yaml
</code></pre></div><p>Here we have a typical service. Nothing special, just routing traffic to the backend application on port <code>50051</code>.</p><h3id=step-3-the-kubernetes-ingress>Step 3: the kubernetes <code>Ingress</code><aclass=headerlinkhref=#step-3-the-kubernetes-ingresstitle="Permanent link"> ¶</a></h3><divclass=highlight><pre><span></span><code>$ kubectl create -f ingress.yaml
</code></pre></div><p>A few things to note:</p><ol><li>We've tagged the ingress with the annotation <code>nginx.ingress.kubernetes.io/backend-protocol: "GRPC"</code>. This is the magic ingredient that sets up the appropriate nginx configuration to route http/2 traffic to our service.</li><li>We're terminating TLS at the ingress and have configured an SSL certificate <code>fortune-teller.stack.build</code>. The ingress matches traffic arriving as <code>https://fortune-teller.stack.build:443</code> and routes unencrypted messages to our kubernetes service.</li></ol><h3id=step-4-test-the-connection>Step 4: test the connection<aclass=headerlinkhref=#step-4-test-the-connectiontitle="Permanent link"> ¶</a></h3><p>Once we've applied our configuration to kubernetes, it's time to test that we can actually talk to the backend. To do this, we'll use the <ahref=https://github.com/fullstorydev/grpcurl>grpcurl</a> utility:</p><divclass=highlight><pre><span></span><code>$ grpcurl fortune-teller.stack.build:443 build.stack.fortune.FortuneTeller/Predict
<spanclass=o>{</span>
<spanclass=s2>"message"</span>: <spanclass=s2>"Let us endeavor so to live that when we come to die even the undertaker will be sorry.\n\t\t-- Mark Twain, \"Pudd'nhead Wilson's Calendar\""</span>
<spanclass=o>}</span>
</code></pre></div><h3id=debugging-hints>Debugging Hints<aclass=headerlinkhref=#debugging-hintstitle="Permanent link"> ¶</a></h3><ol><li>Obviously, watch the logs on your app.</li><li>Watch the logs for the nginx-ingress-controller (increasing verbosity as needed).</li><li>Double-check your address and ports.</li><li>Set the <code>GODEBUG=http2debug=2</code> environment variable to get detailed http/2 logging on the client and/or server.</li><li>Study RFC 7540 (http/2) <ahref=https://tools.ietf.org/html/rfc7540>https://tools.ietf.org/html/rfc7540</a>.</li></ol><blockquote><p>If you are developing public gRPC endpoints, check out https://proto.stack.build, a protocol buffer / gRPC build service that can use to help make it easier for your users to consume your API.</p><p>See also the specific GRPC settings of NGINX: https://nginx.org/en/docs/http/ngx_http_grpc_module.html</p></blockquote><h3id=notes-on-using-responserequest-streams>Notes on using response/request streams<aclass=headerlinkhref=#notes-on-using-responserequest-streamstitle="Permanent link"> ¶</a></h3><ol><li>If your server does only response streaming and you expect a stream to be open longer than 60 seconds, you will have to change the <code>grpc_read_timeout</code> to accommodate for this.</li><li>If your service does only request streaming and you expect a stream to be open longer than 60 seconds, you have to change the <code>grpc_send_timeout</code> and the <code>client_body_timeout</code>.</li><li>If you do both response and request streaming with an open stream longer than 60 seconds, you have to change all three timeouts: <code>grpc_read_timeout</code>, <code>grpc_send_timeout</code> and <code>client_body_timeout</code>.</li></ol><p>Values for the timeouts must be specified as e.g. <code>"1200s"</code>.</p><blockquote><p>On the most recent versions of nginx-ingress, changing these timeouts requires using the <code>nginx.ingress.kubernetes.io/server-snippet</code> annotation. There are plans for future releases to allow using the Kubernetes annotations to define each timeout separately.</p></blockquote></article></div></div></main><footerclass=md-footer><divclass=md-footer-nav><navclass="md-footer-nav__inner md-grid"aria-label=Footer><ahref=../docker-registry/class="md-footer-nav__link md-footer-nav__link--prev"rel=prev><divclass="md-footer-nav__button md-icon"><svgxmlns=http://www.w3.org/2000/svgviewbox="0 0 24 24"><pathd="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg></div><divclass=md-footer-nav__title><divclass=md-ellipsis><spanclass=md-footer-nav__direction> Previous </span> Docker registry </div></div></a><ahref=../multi-tls/class="md-footer-nav__link md-footer-nav__link--next"rel=next><divclass=md-footer-nav__title><divclass=md-ellipsis><spanclass=md-footer-nav__direction> Next </span> Multi TLS certificate termination </div></div><divclass="md-footer-nav__button md-icon"><svgxmlns=http://www.w3.org/2000/svgviewbox="0 0 24 24"><pathd="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg></div></a></nav></div><divclass="md-footer-meta md-typeset"><divclass="md-footer-meta__inner md-grid"><divclass=md-footer-copyright> Made with <ahref=https://squidfunk.github.io/mkdocs-material/target=_blankrel=noopener> Material for MkDocs </a></div></div></div></footer></div><scriptsrc=../../assets/javascripts/vendor.93c04032.min.js></script><scriptsrc=../../assets/javascripts/bundle.83e5331e.min.js></script><scriptid=__langtype=application/json>{"clipboard.copy":"Copytoclipboard","clipboard.copied":"Copiedtoclipboard","search.config.lang":"en","search.config.pipeline":"trimmer,stopWordFilter","search.config.separator":"[\\s\\-]+","search.placeholder":"Search","search.result.placeholder":"Typetostartsearching","search.result.none":"Nomatchingdocuments","search.result.one":"1matchingdocument","search.result.other":"#matchingdocuments","search.result.more.one":"1moreonthis
