Switch Ingress ELB to a network load balancer
* Require terraform-provider-aws 1.7 or higher
This commit is contained in:
parent
c8313751d7
commit
22fa051002
|
@ -1,32 +1,80 @@
|
||||||
# Ingress Network Load Balancer
|
# Network Load Balancer for Ingress
|
||||||
resource "aws_elb" "ingress" {
|
resource "aws_lb" "ingress" {
|
||||||
name = "${var.cluster_name}-ingress"
|
name = "${var.cluster_name}-ingress"
|
||||||
|
load_balancer_type = "network"
|
||||||
|
internal = false
|
||||||
|
|
||||||
subnets = ["${aws_subnet.public.*.id}"]
|
subnets = ["${aws_subnet.public.*.id}"]
|
||||||
security_groups = ["${aws_security_group.worker.id}"]
|
|
||||||
|
|
||||||
listener {
|
|
||||||
lb_port = 80
|
|
||||||
lb_protocol = "tcp"
|
|
||||||
instance_port = 80
|
|
||||||
instance_protocol = "tcp"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
listener {
|
# Forward HTTP traffic to instances
|
||||||
lb_port = 443
|
resource "aws_lb_listener" "ingress-http" {
|
||||||
lb_protocol = "tcp"
|
load_balancer_arn = "${aws_lb.ingress.arn}"
|
||||||
instance_port = 443
|
protocol = "TCP"
|
||||||
instance_protocol = "tcp"
|
port = 80
|
||||||
|
|
||||||
|
default_action {
|
||||||
|
type = "forward"
|
||||||
|
target_group_arn = "${aws_lb_target_group.workers-http.arn}"
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Forward HTTPS traffic to instances
|
||||||
|
resource "aws_lb_listener" "ingress-https" {
|
||||||
|
load_balancer_arn = "${aws_lb.ingress.arn}"
|
||||||
|
protocol = "TCP"
|
||||||
|
port = 443
|
||||||
|
|
||||||
|
default_action {
|
||||||
|
type = "forward"
|
||||||
|
target_group_arn = "${aws_lb_target_group.workers-https.arn}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Network Load Balancer target groups of instances
|
||||||
|
|
||||||
|
resource "aws_lb_target_group" "workers-http" {
|
||||||
|
name = "${var.cluster_name}-workers-http"
|
||||||
|
vpc_id = "${aws_vpc.network.id}"
|
||||||
|
target_type = "instance"
|
||||||
|
|
||||||
|
protocol = "TCP"
|
||||||
|
port = 80
|
||||||
|
|
||||||
# Ingress Controller HTTP health check
|
# Ingress Controller HTTP health check
|
||||||
health_check {
|
health_check {
|
||||||
target = "HTTP:10254/healthz"
|
protocol = "HTTP"
|
||||||
healthy_threshold = 2
|
port = 10254
|
||||||
unhealthy_threshold = 4
|
path = "/healthz"
|
||||||
timeout = 5
|
|
||||||
interval = 6
|
# NLBs required to use same healthy and unhealthy thresholds
|
||||||
|
healthy_threshold = 3
|
||||||
|
unhealthy_threshold = 3
|
||||||
|
|
||||||
|
# Interval between health checks required to be 10 or 30
|
||||||
|
interval = 10
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
connection_draining = true
|
resource "aws_lb_target_group" "workers-https" {
|
||||||
connection_draining_timeout = 300
|
name = "${var.cluster_name}-workers-https"
|
||||||
|
vpc_id = "${aws_vpc.network.id}"
|
||||||
|
target_type = "instance"
|
||||||
|
|
||||||
|
protocol = "TCP"
|
||||||
|
port = 443
|
||||||
|
|
||||||
|
# Ingress Controller HTTP health check
|
||||||
|
health_check {
|
||||||
|
protocol = "HTTP"
|
||||||
|
port = 10254
|
||||||
|
path = "/healthz"
|
||||||
|
|
||||||
|
# NLBs required to use same healthy and unhealthy thresholds
|
||||||
|
healthy_threshold = 3
|
||||||
|
unhealthy_threshold = 3
|
||||||
|
|
||||||
|
# Interval between health checks required to be 10 or 30
|
||||||
|
interval = 10
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
output "ingress_dns_name" {
|
output "ingress_dns_name" {
|
||||||
value = "${aws_elb.ingress.dns_name}"
|
value = "${aws_lb.ingress.dns_name}"
|
||||||
description = "DNS name of the ELB for distributing traffic to Ingress controllers"
|
description = "DNS name of the network load balancer for distributing traffic to Ingress controllers"
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,7 +5,7 @@ terraform {
|
||||||
}
|
}
|
||||||
|
|
||||||
provider "aws" {
|
provider "aws" {
|
||||||
version = "~> 1.0"
|
version = "~> 1.7"
|
||||||
}
|
}
|
||||||
|
|
||||||
provider "local" {
|
provider "local" {
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
# Workers AutoScaling Group
|
# Workers AutoScaling Group
|
||||||
resource "aws_autoscaling_group" "workers" {
|
resource "aws_autoscaling_group" "workers" {
|
||||||
name = "${var.cluster_name}-worker ${aws_launch_configuration.worker.name}"
|
name = "${var.cluster_name}-worker ${aws_launch_configuration.worker.name}"
|
||||||
load_balancers = ["${aws_elb.ingress.id}"]
|
|
||||||
|
|
||||||
# count
|
# count
|
||||||
desired_capacity = "${var.worker_count}"
|
desired_capacity = "${var.worker_count}"
|
||||||
|
@ -16,6 +15,12 @@ resource "aws_autoscaling_group" "workers" {
|
||||||
# template
|
# template
|
||||||
launch_configuration = "${aws_launch_configuration.worker.name}"
|
launch_configuration = "${aws_launch_configuration.worker.name}"
|
||||||
|
|
||||||
|
# target groups to which instances should be added
|
||||||
|
target_group_arns = [
|
||||||
|
"${aws_lb_target_group.workers-http.id}",
|
||||||
|
"${aws_lb_target_group.workers-https.id}",
|
||||||
|
]
|
||||||
|
|
||||||
lifecycle {
|
lifecycle {
|
||||||
# override the default destroy and replace update behavior
|
# override the default destroy and replace update behavior
|
||||||
create_before_destroy = true
|
create_before_destroy = true
|
||||||
|
@ -153,6 +158,16 @@ resource "aws_security_group_rule" "worker-node-exporter" {
|
||||||
self = true
|
self = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "aws_security_group_rule" "ingress-health" {
|
||||||
|
security_group_id = "${aws_security_group.worker.id}"
|
||||||
|
|
||||||
|
type = "ingress"
|
||||||
|
protocol = "tcp"
|
||||||
|
from_port = 10254
|
||||||
|
to_port = 10254
|
||||||
|
cidr_blocks = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
|
|
||||||
resource "aws_security_group_rule" "worker-kubelet" {
|
resource "aws_security_group_rule" "worker-kubelet" {
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
security_group_id = "${aws_security_group.worker.id}"
|
||||||
|
|
||||||
|
@ -193,16 +208,6 @@ resource "aws_security_group_rule" "worker-kubelet-read-self" {
|
||||||
self = true
|
self = true
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "aws_security_group_rule" "ingress-health-self" {
|
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
|
||||||
|
|
||||||
type = "ingress"
|
|
||||||
protocol = "tcp"
|
|
||||||
from_port = 10254
|
|
||||||
to_port = 10254
|
|
||||||
self = true
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "worker-bgp" {
|
resource "aws_security_group_rule" "worker-bgp" {
|
||||||
security_group_id = "${aws_security_group.worker.id}"
|
security_group_id = "${aws_security_group.worker.id}"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue