堆栈内存溢出
  繁体   English   中英

这是否可以将 kubernetes 入口 ALB 与 terraform 托管 alb/路由 53 连接,同时在同一个 dns 名称上提供请求?

[英]Is this possible to connect kubernetes ingress ALB with terraform managed alb/route 53 while serving requests on same dns name?

 原文  2021-02-25 11:30:39       amazon-web-services/ aws-lambda/ terraform/ amazon-route53/ aws-application-load-balancer

问题描述

我在 AWS 中有一个具有不同 lambda 的设置 - 全部由 terraform 管理。 现在,只有像https://example.com/homehttps://example.com/blog这样的路径请求使用 route53 记录和具有不同规则的 ALB 转发到不同的 AWS lambda - 这是 /home/ 路径的示例:

resource "aws_route53_record" "dns-record" {
  name    = "example.com"
  zone_id = var.zone_id
  type    = "CNAME"
  ttl     = "300"
  records = [aws_lb.alb.dns_name]
}

resource "aws_lb" "alb" {
  name               = "my-alb..."
........
}

resource "aws_lb_listener" "alb-in-443" {
  load_balancer_arn = aws_lb.alb.arn
  port              = "443"
  protocol          = "HTTPS"
........
  default_action {
    type = "fixed-response"

    fixed_response {
      content_type = "text/plain"
      message_body = "Fixed response content"
      status_code  = "200"
    }
}

resource "aws_lb_listener_rule" "home-in-443" {
  listener_arn = aws_lb_listener.alb-in-443.arn
  priority     = 100

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.home-alb-tg.arn
  }

  condition {
    path_pattern {
      values = ["/home/*"]
    }
  }
}

resource "aws_lb_target_group" "home-alb-tg" {
  name        = "home-alb-tg-lambda"
  target_type = "lambda"
  vpc_id      = data.aws_vpc.vpc.id
}

resource "aws_lambda_permission" "home-lb-lambda-permission" {
......
}

resource "aws_lb_target_group_attachment" "home-alb-tg-attachment" {
.....
}

到目前为止一切正常,但现在我需要添加 AWS EKS 集群并将所有请求转发到https://example.com到 EKS - 同时继续使用 AWS Z945F3FC449518A73B9F5F32868CDBDBDB86 为 /home 或 /blog 提供服务。 我可以使用AWS 负载均衡器 controller创建另一个 ALB,然后使用我的服务前面的此类 Ingress 资源转发请求,配置如下:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress-service
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
  labels:
    app: my-app
spec:
  rules:
  - host: "example.com"
    http:
      paths:
        - path: /*
          backend:
            serviceName: my-service
            servicePort: 80

但是这个 ALB 将与 route53 分离,此外,这样的路径将与上述 terraform 负载均衡器规则中定义的路径冲突。 另一方面,我可以在上面的入口配置中为所有路径(/home、/blog 等)定义所有条件 - 但我无法将它们与 lambdas 绑定。

所以,问题是 - 这样的设置是否可以从 EKS 提供主要的 url 以及带有 lambda 的不同路径? 也许这可以通过 aws cloudfront 以某种方式完成?

1 个解决方案

解决方案1
 0  2021-02-26 15:28:10

好吧,这似乎在 Cloudfront 技术上是可行的 - 这是我使用的配置。 我创建了 2 个不同的来源 - 一个指向来自 k8s ALB 的 dns 名称,另一个指向来自使用 terraform 创建的 ALB 的 dns 名称。 这是配置:

data "aws_lb" "eks-lb" {
  name = "k8s-default-appservi-3f93453"  -- we need to get alb name created in k8s - this doesn't look good but we can't specify alb name right now
}

resource "aws_cloudfront_distribution" "my-distribution" {

  enabled         = true
  is_ipv6_enabled = true
  aliases = "example.com"

  origin {
    domain_name = data.aws_lb.eks-lb.dns_name  - use DNS name from eks alb here
    origin_id   = "my-app"

    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
  }

  origin {
    domain_name = aws_lb.alb.dns_name   - use DNS name from "alb" lb created in terraform above 
    origin_id   = "home"

    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
  }

  default_cache_behavior {
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "my-app"

    forwarded_values {
      headers = [ "Host" , "Origin"]
      query_string = true
      cookies {
        forward = "all"
      }
    }

    min_ttl                = 0
    default_ttl            = 0
    max_ttl                = 0
    viewer_protocol_policy = "redirect-to-https"
  }

  ordered_cache_behavior {
    path_pattern     = "/home/*"
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "home"

    forwarded_values {
      headers = [ "Host", "Origin" ]
      query_string = true
      cookies {
        forward = "all"
      }
    }

    min_ttl                = 0
    default_ttl            = 0
    max_ttl                = 0
    viewer_protocol_policy = "redirect-to-https"
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn = "cert.arn"
    ssl_support_method  = "sni-only"
  }
}

But I don't like this solution because k8s ALB dns name should be hardcoded and also we have aws resources (ALB and target group) which are not managed by Terraform and which stayed in account even after I deleted both aws load balancer controller and ingress服务( github 问题)。 因此,也许更好的解决方案是将 AWS 负载均衡器 controller 更改为之前带有 NLB 的 ingress-nginx,并使用 external-dns 创建 dns 记录,该记录将用于云端配置。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为aws-alb-ingress-controller设置ALB的DNS名称 Terraform 拨 tcp dns 使用 EKS 集群创建 AWS ALB 入口时出错 AWS Route 53 到由 AWS 负载均衡器控制器管理的 ALB 如何使用 kubernetes_ingress terraform 资源创建 AWS ALB? 无法在 Terraform 中创建 AWS ALB kubernetes 入口 controller 从 ALB 到 ALB 的 ROUTE53 故障转移不起作用 外部 DNS + 入口 Nginx + AWS ALB Kubernetes,ALB:没有通过入口服务创建 ALB 将 alb 支持的子域添加到路由 53 ALB Ingress Kubernetes 安全组注释不起作用
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM