I need to deploy a backend service to GKE. This backend service consists of a REST API and a TCP server that will be used by several IoT devices. By following the tutorials on the Google Kubernetes Engine documentation, I was able to deploy the following service that achieves this:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: LoadBalancer
selector:
app: my-backend-app
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080
- name: https
protocol: TCP
port: 443
targetPort: 8080
- name: my-tcp-service
protocol: TCP
port: 2222
targetPort: 2222The problem with the above configuration is that I am unable to setup TSL for my REST API. All the resources that I find for setting up TSL on Kubernetes points me towards Ingress and upon trying that, I discovered that Ingress won't work with my TCP server as Ingress is (as far as an understand) a kind of HTTP proxy.
Is there any way I can setup TSL (HTTPS) directly on the LoadBalancer without the need for Ingress (a google managed certificate would be preferred)? Should I use Ingress for the REST API and something else for the TCP server?
Service type LoadBalancer is strictly a layer 4 service, thus it is impossible to have SSL termiantion happen on the LB. Traffic will be forwarded to your pods and SSL termination will need to occur there. Either that or you will need to have a proxy receive traffic and terminate TLS before forwarding the traffic to your application.
The ingress is currently the only option to use for Google-managed certificates. You are correct that it uses HTTP proxy to terminate the requests. If you can arrange to have all requests come using different URLs, you could use a single Ingress, even for the TCP service (the front end would still be 443, but you can forward requests to port 2222).
The best option, though, would be to use the Ingress w/ managed certs for the HTTP(S) services and use the LoadBalancer service for the TCP service.