Intro
Yesterday was a painful day because even though the folks who created https://github.com/kubernetes-sigs/aws-load-balancer-controller are great developers. They're really shit at documenting
I needed to use an ALB because ELBs don't support automatic http to https upgrades. And they have a ton more features that I'll use in the future. So in this guide I'll show you how to make your ALB do that auto redirect.
Getting your cluster ready
So let me guide you through the bs and save you 8+ hours of trial and error and intense research though github issues.
Please keep in mind my kubernetes version is ~1.15 so I need to use some legacy things. You might need to use some more recent configs.
The subnets
You need to make sure you have at least two subnets setup for your kubernetes cluster and these subnets need to be in different availability zones. Take a look at this for more information but basically you need to do kops edit cluster
and make sure your subnets look something like this:
subnets:
- cidr: 172.20.32.0/19
name: us-east-1a
type: Public
zone: us-east-1a
- cidr: 172.20.64.0/19
name: us-east-1b
type: Public
zone: us-east-1b
Then run kops update cluster --yes
The extra policies
For aws-load-balancer-controller to run properly, it needs extra policies to be attached to your cluster nodes so it can configure some things for you. To do that first we need to download this file which contains the policy description: curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.1.0/docs/install/iam_policy.json
Then creating a policy for it:
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam-policy.json
Take note of the arn that gets returned.. something that looks like "aws:arn:iam:123456789000:policy:test-policy"
Now go edit you cluster again kops edit cluster
and attach the policy like so:
spec:
externalPolicies:
node:
- aws:arn:iam:123456789000:policy:test-policy
Now hit it with a kops update cluster --yes
Installing dependencies on your cluster
- First you need to install cert manager which will allow you to manage certs for the different services and deployments that we'll be doing:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager-legacy.yaml
- Second installing the actual load balancer controller:
wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.1.0/docs/install/v2_1_0_full.yaml
open that file and go to where it says --cluster-name= and change it to your cluster's name.
save and run kubectl apply -f v2_1_0_full.yaml
Configuring the ALB
Make sure you have your deployment looking something like this:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: my-app
name: my-app-deployment
namespace: dev
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: my-app
template:
metadata:
labels:
app.kubernetes.io/name: my-app
spec:
containers:
- image: my-app:latest
imagePullPolicy: Always
name: my-app
ports:
- containerPort: 3000
name: app-port
protocol: TCP
restartPolicy: Always
Now you need a service classic LoadBalancer (I think this can be a NodePort instead) to point to this port:
apiVersion: v1
kind: Service
metadata:
namespace: dev
name: my-app-service
spec:
ports:
- port: 3000
targetPort: 3000
protocol: TCP
type: LoadBalancer
selector:
app.kubernetes.io/name: my-app
And the actual ALB ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/certificate-arn: YOUR-ARN-CERT-HERE
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
name: my-app-alb
namespace: dev
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: my-app-service
servicePort: 3000
That's it! Run kubectl -n dev get ingress
and go to that address. Enjoy it!
Top comments (0)