Expose EPP and WHOIS endpoints on reginal load balancers (#2627)

k8s does not have a way to expose a global load balancer with TCP endpoints, and setting up node port-based routing is a chore, even with Terraform (which is what we did with the standalone proxy). We will use Cloud DNS's geolocation routing policy to ensure that clients connect to the endpoint closest to them.
2026-01-03 11:45:39 +00:00 · 2024-12-26 10:25:02 -05:00
parent d130e74004
commit 7641b05f12
5 changed files with 210 additions and 12 deletions
--- a/jetty/kubernetes/nomulus-frontend.yaml
+++ b/jetty/kubernetes/nomulus-frontend.yaml
@@ -33,7 +33,7 @@ spec:
              fieldPath: metadata.namespace
        - name: CONTAINER_NAME
          value: frontend
-      - name: PROXY_NAME
+      - name: EPP
        image: gcr.io/GCP_PROJECT/proxy
        ports:
        - containerPort: 30002
@@ -52,7 +52,7 @@ spec:
            fieldRef:
              fieldPath: metadata.namespace
        - name: CONTAINER_NAME
-          value: PROXY_NAME
+          value: EPP
 ---
 # Only need to define the service account once per cluster.
 apiVersion: v1
@@ -92,9 +92,26 @@ spec:
    - port: 80
      targetPort: http
      name: http
-    - port: 700
-      targetPort: epp
-      name: epp
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: EPP
+  annotations:
+    cloud.google.com/l4-rbs: enabled
+    networking.gke.io/weighted-load-balancing: pods-per-node
+spec:
+  type: LoadBalancer
+  # Traffic is directly delivered to a node, preserving the original source IP.
+  externalTrafficPolicy: Local
+  ipFamilies: [IPv4, IPv6]
+  ipFamilyPolicy: RequireDualStack
+  selector:
+    service: frontend
+  ports:
+  - port: 700
+    targetPort: epp
+    name: epp
 ---
 apiVersion: net.gke.io/v1
 kind: ServiceExport
--- a/jetty/kubernetes/nomulus-pubapi.yaml
+++ b/jetty/kubernetes/nomulus-pubapi.yaml
@@ -33,7 +33,7 @@ spec:
              fieldPath: metadata.namespace
        - name: CONTAINER_NAME
          value: pubapi
-      - name: PROXY_NAME
+      - name: WHOIS
        image: gcr.io/GCP_PROJECT/proxy
        ports:
        - containerPort: 30001
@@ -52,7 +52,7 @@ spec:
            fieldRef:
              fieldPath: metadata.namespace
        - name: CONTAINER_NAME
-          value: PROXY_NAME
+          value: WHOIS
 ---
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
@@ -84,9 +84,26 @@ spec:
    - port: 80
      targetPort: http
      name: http
-    - port: 43
-      targetPort: whois
-      name: whois
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: WHOIS
+  annotations:
+    cloud.google.com/l4-rbs: enabled
+    networking.gke.io/weighted-load-balancing: pods-per-node
+spec:
+  type: LoadBalancer
+  # Traffic is directly delivered to a node, preserving the original source IP.
+  externalTrafficPolicy: Local
+  ipFamilies: [IPv4, IPv6]
+  ipFamilyPolicy: RequireDualStack
+  selector:
+    service: pubapi
+  ports:
+  - port: 43
+    targetPort: whois
+    name: whois
 ---
 apiVersion: net.gke.io/v1
 kind: ServiceExport