feat: expose Elasticsearch through GCP Internal LB, backend keep using https, but frontend on http and port 80 due to service limitations

bindiego · bindiego · commit 9f2d5cb180e7 · 2025-07-26T10:21:36.000+08:00
diff --git a/bin/demo.sh b/bin/demo.sh
@@ -53,9 +53,28 @@ __create_gke() {
         --max-unavailable-upgrade 0 \
         --enable-autorepair
 
+    __init_internal_loadbalancer
     __init $@
 }
 
+__init_internal_loadbalancer() {
+    # GCE internal load balancer requires a
+    # proxy-only subnet in the same region and VPC
+
+    # IMPORTANT: this IPv4 is ONLY for GCP default us-central1, you need to update the range
+    # to match your desired subnet settings
+    # Check if proxy-only subnet already exists, L7 LB only
+    if ! gcloud compute networks subnets describe proxy-only-subnet \
+        --region=$region --network=default >/dev/null 2>&1; then
+        echo "Creating proxy-only subnet for internal load balancer..."
+        gcloud compute networks subnets create proxy-only-subnet \
+            --purpose=REGIONAL_MANAGED_PROXY --role=ACTIVE --region=$region \
+            --network=default --range=10.120.0.0/23
+    else
+        echo "proxy-only-subnet already exists, skipping creation."
+    fi
+}
+
 # setup the deployment enviroment for Elastic Stack
 __init() {
     # Set kubectl to target the created cluster
@@ -144,6 +163,7 @@ __password_reset() {
 __status() {
     passwd=$(__password)
     lb_ip=`kubectl get services ${es_cluster_name}-es-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}'`
+    ilb_ip=`kubectl get ingress ${es_cluster_name}-es-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}'`
 
     kbn_ip=`kubectl get service dingo-demo-kbn-kb-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}'`
     kbn_port=5601
@@ -152,11 +172,13 @@ __status() {
     echo; echo "================================="; echo
     echo "Elasticsearch status: "
     curl -u "elastic:$passwd" -k "https://$lb_ip:9200"
+    curl -u "elastic:$passwd" "http://$ilb_ip"
 
     echo; echo "---------------------------------"; echo
 
-    echo "Kibana: " ${kbn_url}
-    echo "Elasticsearch: " "https://$lb_ip:9200"
+    echo "Kibana public address: " ${kbn_url}
+    echo "Elasticsearch public address: " "https://$lb_ip:9200"
+    echo "Elasticsearch internal address: " "http://$ilb_ip"
     echo "Username: " elastic
     echo "Password: " ${passwd}
     echo "================================="; echo
diff --git a/templates/es.demo.yml b/templates/es.demo.yml
@@ -6,8 +6,20 @@ spec:
     version: 8.18.3
     http:
         service:
+            metadata:
+                annotations:
+                    cloud.google.com/app-protocols: '{"https":"HTTPS"}'
+                    cloud.google.com/neg: '{"ingress": true}'
+                    cloud.google.com/backend-config: '{"ports": {"9200":"dingo-demo-es-backendconfig"}}'
             spec:
-                type: LoadBalancer
+                #type: LoadBalancer
+                #type: NodePort
+                type: ClusterIP
+                ports:
+                    - name: https
+                      port: 9200
+                      protocol: TCP
+                      targetPort: 9200
     secureSettings:
         - secretName: gcs-credentials
     nodeSets:
@@ -23,6 +35,7 @@ spec:
               node.attr.zone: us-central1-a
               #node.remote_cluster_client: true
               xpack.security.authc.anonymous.roles: monitoring_user
+              xpack.security.authc.anonymous.authz_exception: false
           volumeClaimTemplates:
               - metadata:
                     name: elasticsearch-data
@@ -96,3 +109,43 @@ spec:
                                         matchLabels:
                                             elasticsearch.k8s.elastic.co/cluster-name: dingo-demo
                                     topologyKey: kubernetes.io/hostname
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: dingo-demo-es-ingress
+    annotations:
+        kubernetes.io/ingress.allow-http: "true"
+        kubernetes.io/ingress.class: "gce-internal"
+spec:
+    rules:
+        - http:
+              paths:
+                  - path: /
+                    pathType: Prefix
+                    backend:
+                        service:
+                            name: dingo-demo-es-http
+                            port:
+                                number: 9200
+
+---
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+    name: dingo-demo-es-backendconfig
+spec:
+    healthCheck:
+        type: HTTPS
+        port: 9200
+        requestPath: /
+        checkIntervalSec: 15
+        timeoutSec: 10
+        healthyThreshold: 1
+        unhealthyThreshold: 10
+    sessionAffinity:
+        affinityType: "CLIENT_IP"
+    timeoutSec: 60
+    connectionDraining:
+        drainingTimeoutSec: 300
