Firebase Emulator Auth on Kubernetes pod not receiving request

2/17/2022

I've deployed locally a k8s cluster with kind. The firebase emulator runs on a pod inside the cluster and has a ClusterIp Service assigned. When I'm sending a request to kind-firebase.yaml pod from the service.yaml pod, the request fails because connection cannot be established.

the error:

failed to establish a connection:
 Post \"http://firebase-service:9099/identitytoolkit.googleapis.com/v1/projects/demo-test

CONFIGS:

  • firebase.json:
{
  "emulators": {
    "auth": {
      "port": 9099,
      "host": "0.0.0.0"
    },
    "ui": {
      "enabled": true,
      "host": "0.0.0.0",
      "port": 4000
    }
  }
}
  • kind-firebase.yaml:
apiVersion: v1
kind: Namespace
metadata:
  name: firebase-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: firebase-depl
  namespace: firebase-system
spec:
  selector:
    matchLabels:
      app: firebase-emulator
  replicas: 1
  template:
    metadata:
      labels:
        app: firebase-emulator
    spec:
      containers:
      - name: firebase-emulator
        image: fb-emulator
        resources:
          limits:
            cpu: "1000m" # Up to 1 full core
          requests:
            cpu: "1000m" # Use 1 full core
        imagePullPolicy: IfNotPresent
        ports:
        - name: auth
          containerPort: 9099
        - name: emulator-ui
          containerPort: 4000
---
apiVersion: v1
kind: Service
metadata:
  name: firebase-service
  namespace: firebase-system
spec:
  type: ClusterIP
  selector:
    app: firebase-emulator
  ports:
    - name: auth
      port: 9099
      targetPort: auth
    - name: emulator-ui
      port: 4000
      targetPort: emulator-ui
  • service.yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: auth-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: auth-depl
  namespace: auth-system
spec:
  selector:
    matchLabels:
      app: auth
  template:
    metadata:
      labels:
        app: auth
    spec:
      terminationGracePeriodSeconds: 60
      volumes:
      - name: google-cloud-key
        secret:
          secretName: firebase-sacc
      containers:
      # auth-api container configuration
          - name: auth-api
            image: auth-api-image
            volumeMounts:
             - name: google-cloud-key
               mountPath: /var/secrets/google
               readOnly: true
            ports:
            - name: auth-api
              containerPort: 3000
            - name: auth-api-debug
              containerPort: 8080
            readinessProbe: # readiness probes mark the service available to accept traffic.
              httpGet:
                path: /debug/readiness
                port: 8080
              initialDelaySeconds: 15
              periodSeconds: 15
              timeoutSeconds: 5
              successThreshold: 1
              failureThreshold: 2
            livenessProbe: # liveness probes mark the service alive or dead (to be restarted).
              httpGet:
                path: /debug/liveness
                port: 8080
              initialDelaySeconds: 30
              periodSeconds: 30
              timeoutSeconds: 5
              successThreshold: 1
              failureThreshold: 2
            env:
              - name: KUBERNETES_NAMESPACE
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.namespace
              - name: KUBERNETES_PODNAME
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.name
              - name: KUBERNETES_NAMESPACE_POD_IP
                valueFrom:
                  fieldRef:
                    fieldPath: status.podIP
              - name: KUBERNETES_NODENAME
                valueFrom:
                  fieldRef:
                    fieldPath: spec.nodeName 
              - name: GOOGLE_APPLICATION_CREDENTIALS
                value: /var/secrets/google/sacc.json
              - name: FIREBASE_AUTH_EMULATOR_HOST 
                value: firebase-service:9099
              - name: GCLOUD_PROJECT
                value: demo-test
---
apiVersion: v1
kind: Service
metadata:
  name: auth-service
  namespace: auth-system
spec:
  type: ClusterIP
  selector:
    app: auth
  ports:
  - name: auth-api
    port: 3000
    targetPort: auth-api
  - name: auth-api-debug
    port: 8080
    targetPort: auth-api-debug
  • in the file you'll see these env variables:
- name: FIREBASE_AUTH_EMULATOR_HOST 
  value: firebase-service:9099
- name: GCLOUD_PROJECT
  value: demo-test

by using them, the firebase sdk used inside the app that represent service.yaml, will set the sdk for using the firebase emulator and not the one in the cloud.

Screenshots with the cluster:

  1. Here we can see the namespaces available.
  • In the auth-system the service.yaml pod will be present.
  • In the firebase-system the kind-firebase.yaml pod will be present.

enter image description here

  1. service.yaml pod

enter image description here

  1. kind-firebase.yaml pod

enter image description here

  1. Here we can see the logs inside service.yaml pod when I send a request to the kind-firebase.yaml pod... the error:
failed to establish a connection:
 Post \"http://firebase-service:9099/identitytoolkit.googleapis.com/v1/projects/demo-test

enter image description here

Thx for any help!

-- Robert Mihai
firebase
firebase-tools
kind
kubernetes

1 Answer

2/18/2022

After connecting to the firebase pod and checking DNS Resolution, the service name must be:

firebase-service.firebase-system.svc.cluster.local:9099

So the env variable from kind-firebase.yaml must be:

- name: FIREBASE_AUTH_EMULATOR_HOST 
  value: firebase-service.firebase-system.svc.cluster.local:9099

Everything works fine now.

-- Robert Mihai
Source: StackOverflow