Solved: Architecture solution for full-stack deployment

muyaszed · 12-23-2021 01:23 AM

Hi all, this is my first post here.

Currently, I have an application which I plan to deploy to Google K8. I am half way through there but faced a blocker at the moment.

Below is what I have done so far.

Created a cluster
Created 2 workload for my front-end(react) and backend(nodejs)
1. This is deployed through Artifact
For the backend, I've created an External load balancer service to expose my backend ip address.
For the front-end I've exposed a static ip with SLL with the config below
1. Created a Node port service.
2. Created an Ingress to handle Google managed cert.
3. Used CloudDNS to use custom domain for my ip.

Everything runs finds at the moment the only problem I face now is when the client side trying to request the api, CORS will give me error of mix content(since my back-end is not secured).

The question is how can structure this setup a little bit better to avoid this issue, or maybe there is actually a specific solution for this. I am very new to all of this and welcome for any suggestion and comments.

Thanks

abdelfettah

Aha didn't know you have a mobile app as well.

In that case i would expose the backend behind an Ingress with Google Managed certificates (same way you did for the frontend). You will have two possible flows

Mobile app -> Backend via Ingress and SSL

Client -> Frontend via Ingress -> Backend via ClusterIP

When you create a Service in Kubernetes there is always a ClusterIP associated with the service, you can make the frontend call the backend via the internal ClusterIP instead of going via a public LoadBalancer. The internal DNS of kubernetes looks something like service_name.namespace.svc.cluster.local

Hope this makes sense

View solution in original post

abdelfettah

You should not expose your backend behind an external LoadBalancer. You can use a Service of type ClusterIP to expose the backend and the frontend will be able to reach it from inside the cluster without going through a public LB.

muyaszed

Hi Thanks for the reply,

Ok sure I will try to explore that option, but the only problem with that is, my backend will be consumed by my mobile app as well, so I guess it still need to be exposed?

abdelfettah

Aha didn't know you have a mobile app as well.

In that case i would expose the backend behind an Ingress with Google Managed certificates (same way you did for the frontend). You will have two possible flows

Mobile app -> Backend via Ingress and SSL

Client -> Frontend via Ingress -> Backend via ClusterIP

When you create a Service in Kubernetes there is always a ClusterIP associated with the service, you can make the frontend call the backend via the internal ClusterIP instead of going via a public LoadBalancer. The internal DNS of kubernetes looks something like service_name.namespace.svc.cluster.local

Hope this makes sense

muyaszed

Cool, I've check the solution provided, it looks like a possible solution for me, the only think that I might face a problem is in order to use Google Managed Cert with my back-end, I will need another domain.

I am thinking it might be possible to use the same domain name used for my front-end(through sub-domain) but I need to figure it how to do so. Anyway thanks for the suggestion, It really helps me a lot.

abdelfettah

You cannot use the same domain for both backend and frontend, But you can use the suffix part and have two different prefixes for the two loadbalancers. If you domain is mycompany.com you can have frontend.mycompany.com and backend.mycompany.com

muyaszed

Ok cool, I understand that the same domain cannot be used for that purpose, but I don't know why for example if my front-end is using 'mydomain.com' and my back-end is using 'backend.mydomain.com' is not possible?

abdelfettah

That's possible

muyaszed

Ahh ok thanks

muyaszed

Sorry, this might not be related but how do I join the slack channel