Exposing grpc Frontend via ALB

thomson2708 · June 17, 2022, 4:06pm

Hi There

Currently in the process of deploying out a temporal environment and have hit a roadblock in terms of how to successfully expose the Frontend service. With the service showing as available from the LB but unable to connect using grpcurl.

Current configuration :

DNS Name and ALB are provisioned externally via terraform
Terraform deploys the Temporal Helm chart with configuration setup to expose the Frontend service to a defined Nodeport
preconfigured Loadbalancer connects to the TG over 443 and from then the target group sends traffic onto the given Nodeport
Health Check is passing on the LB when testing on endpoint /grpc.health.v1.Health/Check"

Using the following config to setup the targetgroup mapping with the Node Port

{{ if .Values.server.enabled }}
apiVersion: elbv2.k8s.aws/v1beta1
kind: TargetGroupBinding
metadata:
  name: {{ include "temporal.componentname" (list . "frontend") }}
spec:
  serviceRef:
    name: {{ include "temporal.componentname" (list . "frontend") }}
    port: {{ .Values.server.frontend.service.port }}
  targetGroupARN: {{ .Values.server.frontend.service.targetGroupARN }}
{{- end }}

grpcurl -vv temporal-frontend.domain.net:443 list
Failed to list services: rpc error: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway)

Any help is appreciated !

thomson2708 · June 17, 2022, 4:11pm

grpcurl -plaintext 127.0.0.1:7233 list
grpc.health.v1.Health
grpc.reflection.v1alpha.ServerReflection
temporal.api.operatorservice.v1.OperatorService
temporal.api.workflowservice.v1.WorkflowService
temporal.server.api.adminservice.v1.AdminServ

Local port forwarding works

tihomir · June 17, 2022, 5:18pm

To health check Temporal services you can use grpc-health-probe, for example:

Frontend:
./grpc-health-probe -addr=ADDRESS:PORT -service=temporal.api.workflowservice.v1.WorkflowService

(you can also use cli for this):
tctl --address localhost:7233 cluster health

Matching service:
./grpc-health-probe -addr=ADDRESS:PORT -service=temporal.api.workflowservice.v1.MatchingService

History service:
./grpc-health-probe -addr=ADDRESS:PORT -service=temporal.api.workflowservice.v1.HistoryService

Worker service does not currently expose a health check endpoint.

For LB, do you have SSL pass through enabled? Not AWS expert but it should be able to receive gRPC requests and forward them to your frontend service(s) (7233 default port).

thomson2708 · June 20, 2022, 8:47am

Looks like ALB doesnt support SSL pass through.

Testing out creating a NLB for the frontend traffic.

thomson2708 · June 20, 2022, 1:56pm

Changed to using a NLB with TCP to go via

nlb:7233 > Allocated K8s: frontend:nodeport > frontend:7233

This allowed the connection through for the POC.

Up next is trying to setup mTLS for the frontend

Topic		Replies	Views
Get ingress working for frontend gRPC service Community Support	1	216	September 13, 2024
Expose temporal frontend route outside cluster Server Deployment	1	43	September 23, 2024
Deploying in AWS - healthchecks Community Support aws	12	5805	September 4, 2024
Health Check / Ping Temporal Frontend via grpcurl Community Support healthcheck	2	1481	July 31, 2021
Temporal cli cannot connect to frontend service via Ingress Server Deployment cli , kubernetes	3	1598	July 3, 2023

Exposing grpc Frontend via ALB

Related topics