GKE + HTTPS LB... create via Ingress or create HTTPS LB first then add GKE workloads as backends?

I am trying to determine if the streamlined creation via k8s yaml (ing object) is the best way vs a custom bottom approach through other means such as terraform

for one, it seems like health check options are very rigid through the streamlined way (health check override via backendconfig is in the works but I’d assume its not available yet), and 1 ing to 1 gclb ratio seems weird

and id feel more comfortable not tying the lifecycle of the gclb to the ing object, and flexibility to do multi cluster things down the line is nice. (Ingress for Anthos sounds great, but I think “for Anthos” will require some subscription of sorts.)

the custom approach biggest downside is having to add the instance groups as backends imho.
somehow the streamlined way creates these nice unmanaged instance groups: k8s-ig-...

In GKE, service with LoadBalancer object is only L4. Thus there’s no http or more especially https. You need to have a layer on top of L4 load balancer for http(s), thus, you can:

  • park a sidecar container web server to handle the TLS, then pass it to the container
  • have a ancillary service standing up the container, that passing appropriate traffic desired service
  • utilize an ingress such as default, ingress-nginx, or other ingress solution. Note that you cannot use the google SAN cert if you do not use the default ingress, as other ingress may go through the LB (which doesn’t support L7 needed for TLS)