From 22fa051002d5afddd27d06ad5cb9a11bbf9fbfb2 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Tue, 7 Nov 2017 21:56:50 -0800 Subject: [PATCH] Switch Ingress ELB to a network load balancer * Require terraform-provider-aws 1.7 or higher --- aws/container-linux/kubernetes/ingress.tf | 96 +++++++++++++++++------ aws/container-linux/kubernetes/outputs.tf | 4 +- aws/container-linux/kubernetes/require.tf | 2 +- aws/container-linux/kubernetes/workers.tf | 29 ++++--- 4 files changed, 92 insertions(+), 39 deletions(-) diff --git a/aws/container-linux/kubernetes/ingress.tf b/aws/container-linux/kubernetes/ingress.tf index ae42f390..832748b0 100644 --- a/aws/container-linux/kubernetes/ingress.tf +++ b/aws/container-linux/kubernetes/ingress.tf @@ -1,32 +1,80 @@ -# Ingress Network Load Balancer -resource "aws_elb" "ingress" { - name = "${var.cluster_name}-ingress" - subnets = ["${aws_subnet.public.*.id}"] - security_groups = ["${aws_security_group.worker.id}"] +# Network Load Balancer for Ingress +resource "aws_lb" "ingress" { + name = "${var.cluster_name}-ingress" + load_balancer_type = "network" + internal = false - listener { - lb_port = 80 - lb_protocol = "tcp" - instance_port = 80 - instance_protocol = "tcp" - } + subnets = ["${aws_subnet.public.*.id}"] +} - listener { - lb_port = 443 - lb_protocol = "tcp" - instance_port = 443 - instance_protocol = "tcp" +# Forward HTTP traffic to instances +resource "aws_lb_listener" "ingress-http" { + load_balancer_arn = "${aws_lb.ingress.arn}" + protocol = "TCP" + port = 80 + + default_action { + type = "forward" + target_group_arn = "${aws_lb_target_group.workers-http.arn}" } +} + +# Forward HTTPS traffic to instances +resource "aws_lb_listener" "ingress-https" { + load_balancer_arn = "${aws_lb.ingress.arn}" + protocol = "TCP" + port = 443 + + default_action { + type = "forward" + target_group_arn = "${aws_lb_target_group.workers-https.arn}" + } +} + +# Network Load Balancer target groups of instances + +resource "aws_lb_target_group" "workers-http" { + name = "${var.cluster_name}-workers-http" + vpc_id = "${aws_vpc.network.id}" + target_type = "instance" + + protocol = "TCP" + port = 80 # Ingress Controller HTTP health check health_check { - target = "HTTP:10254/healthz" - healthy_threshold = 2 - unhealthy_threshold = 4 - timeout = 5 - interval = 6 - } + protocol = "HTTP" + port = 10254 + path = "/healthz" - connection_draining = true - connection_draining_timeout = 300 + # NLBs required to use same healthy and unhealthy thresholds + healthy_threshold = 3 + unhealthy_threshold = 3 + + # Interval between health checks required to be 10 or 30 + interval = 10 + } +} + +resource "aws_lb_target_group" "workers-https" { + name = "${var.cluster_name}-workers-https" + vpc_id = "${aws_vpc.network.id}" + target_type = "instance" + + protocol = "TCP" + port = 443 + + # Ingress Controller HTTP health check + health_check { + protocol = "HTTP" + port = 10254 + path = "/healthz" + + # NLBs required to use same healthy and unhealthy thresholds + healthy_threshold = 3 + unhealthy_threshold = 3 + + # Interval between health checks required to be 10 or 30 + interval = 10 + } } diff --git a/aws/container-linux/kubernetes/outputs.tf b/aws/container-linux/kubernetes/outputs.tf index d38c13c0..1b9f8429 100644 --- a/aws/container-linux/kubernetes/outputs.tf +++ b/aws/container-linux/kubernetes/outputs.tf @@ -1,4 +1,4 @@ output "ingress_dns_name" { - value = "${aws_elb.ingress.dns_name}" - description = "DNS name of the ELB for distributing traffic to Ingress controllers" + value = "${aws_lb.ingress.dns_name}" + description = "DNS name of the network load balancer for distributing traffic to Ingress controllers" } diff --git a/aws/container-linux/kubernetes/require.tf b/aws/container-linux/kubernetes/require.tf index de8d88af..868c055b 100644 --- a/aws/container-linux/kubernetes/require.tf +++ b/aws/container-linux/kubernetes/require.tf @@ -5,7 +5,7 @@ terraform { } provider "aws" { - version = "~> 1.0" + version = "~> 1.7" } provider "local" { diff --git a/aws/container-linux/kubernetes/workers.tf b/aws/container-linux/kubernetes/workers.tf index 148f864d..49ab684d 100644 --- a/aws/container-linux/kubernetes/workers.tf +++ b/aws/container-linux/kubernetes/workers.tf @@ -1,7 +1,6 @@ # Workers AutoScaling Group resource "aws_autoscaling_group" "workers" { - name = "${var.cluster_name}-worker ${aws_launch_configuration.worker.name}" - load_balancers = ["${aws_elb.ingress.id}"] + name = "${var.cluster_name}-worker ${aws_launch_configuration.worker.name}" # count desired_capacity = "${var.worker_count}" @@ -16,6 +15,12 @@ resource "aws_autoscaling_group" "workers" { # template launch_configuration = "${aws_launch_configuration.worker.name}" + # target groups to which instances should be added + target_group_arns = [ + "${aws_lb_target_group.workers-http.id}", + "${aws_lb_target_group.workers-https.id}", + ] + lifecycle { # override the default destroy and replace update behavior create_before_destroy = true @@ -153,6 +158,16 @@ resource "aws_security_group_rule" "worker-node-exporter" { self = true } +resource "aws_security_group_rule" "ingress-health" { + security_group_id = "${aws_security_group.worker.id}" + + type = "ingress" + protocol = "tcp" + from_port = 10254 + to_port = 10254 + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "worker-kubelet" { security_group_id = "${aws_security_group.worker.id}" @@ -193,16 +208,6 @@ resource "aws_security_group_rule" "worker-kubelet-read-self" { self = true } -resource "aws_security_group_rule" "ingress-health-self" { - security_group_id = "${aws_security_group.worker.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10254 - to_port = 10254 - self = true -} - resource "aws_security_group_rule" "worker-bgp" { security_group_id = "${aws_security_group.worker.id}"