Switch Ingress ELB to a network load balancer
* Require terraform-provider-aws 1.7 or higher
This commit is contained in:
parent
c8313751d7
commit
22fa051002
|
@ -1,32 +1,80 @@
|
|||
# Ingress Network Load Balancer
|
||||
resource "aws_elb" "ingress" {
|
||||
# Network Load Balancer for Ingress
|
||||
resource "aws_lb" "ingress" {
|
||||
name = "${var.cluster_name}-ingress"
|
||||
load_balancer_type = "network"
|
||||
internal = false
|
||||
|
||||
subnets = ["${aws_subnet.public.*.id}"]
|
||||
security_groups = ["${aws_security_group.worker.id}"]
|
||||
}
|
||||
|
||||
listener {
|
||||
lb_port = 80
|
||||
lb_protocol = "tcp"
|
||||
instance_port = 80
|
||||
instance_protocol = "tcp"
|
||||
}
|
||||
# Forward HTTP traffic to instances
|
||||
resource "aws_lb_listener" "ingress-http" {
|
||||
load_balancer_arn = "${aws_lb.ingress.arn}"
|
||||
protocol = "TCP"
|
||||
port = 80
|
||||
|
||||
listener {
|
||||
lb_port = 443
|
||||
lb_protocol = "tcp"
|
||||
instance_port = 443
|
||||
instance_protocol = "tcp"
|
||||
default_action {
|
||||
type = "forward"
|
||||
target_group_arn = "${aws_lb_target_group.workers-http.arn}"
|
||||
}
|
||||
}
|
||||
|
||||
# Forward HTTPS traffic to instances
|
||||
resource "aws_lb_listener" "ingress-https" {
|
||||
load_balancer_arn = "${aws_lb.ingress.arn}"
|
||||
protocol = "TCP"
|
||||
port = 443
|
||||
|
||||
default_action {
|
||||
type = "forward"
|
||||
target_group_arn = "${aws_lb_target_group.workers-https.arn}"
|
||||
}
|
||||
}
|
||||
|
||||
# Network Load Balancer target groups of instances
|
||||
|
||||
resource "aws_lb_target_group" "workers-http" {
|
||||
name = "${var.cluster_name}-workers-http"
|
||||
vpc_id = "${aws_vpc.network.id}"
|
||||
target_type = "instance"
|
||||
|
||||
protocol = "TCP"
|
||||
port = 80
|
||||
|
||||
# Ingress Controller HTTP health check
|
||||
health_check {
|
||||
target = "HTTP:10254/healthz"
|
||||
healthy_threshold = 2
|
||||
unhealthy_threshold = 4
|
||||
timeout = 5
|
||||
interval = 6
|
||||
}
|
||||
protocol = "HTTP"
|
||||
port = 10254
|
||||
path = "/healthz"
|
||||
|
||||
connection_draining = true
|
||||
connection_draining_timeout = 300
|
||||
# NLBs required to use same healthy and unhealthy thresholds
|
||||
healthy_threshold = 3
|
||||
unhealthy_threshold = 3
|
||||
|
||||
# Interval between health checks required to be 10 or 30
|
||||
interval = 10
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_lb_target_group" "workers-https" {
|
||||
name = "${var.cluster_name}-workers-https"
|
||||
vpc_id = "${aws_vpc.network.id}"
|
||||
target_type = "instance"
|
||||
|
||||
protocol = "TCP"
|
||||
port = 443
|
||||
|
||||
# Ingress Controller HTTP health check
|
||||
health_check {
|
||||
protocol = "HTTP"
|
||||
port = 10254
|
||||
path = "/healthz"
|
||||
|
||||
# NLBs required to use same healthy and unhealthy thresholds
|
||||
healthy_threshold = 3
|
||||
unhealthy_threshold = 3
|
||||
|
||||
# Interval between health checks required to be 10 or 30
|
||||
interval = 10
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
output "ingress_dns_name" {
|
||||
value = "${aws_elb.ingress.dns_name}"
|
||||
description = "DNS name of the ELB for distributing traffic to Ingress controllers"
|
||||
value = "${aws_lb.ingress.dns_name}"
|
||||
description = "DNS name of the network load balancer for distributing traffic to Ingress controllers"
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@ terraform {
|
|||
}
|
||||
|
||||
provider "aws" {
|
||||
version = "~> 1.0"
|
||||
version = "~> 1.7"
|
||||
}
|
||||
|
||||
provider "local" {
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
# Workers AutoScaling Group
|
||||
resource "aws_autoscaling_group" "workers" {
|
||||
name = "${var.cluster_name}-worker ${aws_launch_configuration.worker.name}"
|
||||
load_balancers = ["${aws_elb.ingress.id}"]
|
||||
|
||||
# count
|
||||
desired_capacity = "${var.worker_count}"
|
||||
|
@ -16,6 +15,12 @@ resource "aws_autoscaling_group" "workers" {
|
|||
# template
|
||||
launch_configuration = "${aws_launch_configuration.worker.name}"
|
||||
|
||||
# target groups to which instances should be added
|
||||
target_group_arns = [
|
||||
"${aws_lb_target_group.workers-http.id}",
|
||||
"${aws_lb_target_group.workers-https.id}",
|
||||
]
|
||||
|
||||
lifecycle {
|
||||
# override the default destroy and replace update behavior
|
||||
create_before_destroy = true
|
||||
|
@ -153,6 +158,16 @@ resource "aws_security_group_rule" "worker-node-exporter" {
|
|||
self = true
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "ingress-health" {
|
||||
security_group_id = "${aws_security_group.worker.id}"
|
||||
|
||||
type = "ingress"
|
||||
protocol = "tcp"
|
||||
from_port = 10254
|
||||
to_port = 10254
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "worker-kubelet" {
|
||||
security_group_id = "${aws_security_group.worker.id}"
|
||||
|
||||
|
@ -193,16 +208,6 @@ resource "aws_security_group_rule" "worker-kubelet-read-self" {
|
|||
self = true
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "ingress-health-self" {
|
||||
security_group_id = "${aws_security_group.worker.id}"
|
||||
|
||||
type = "ingress"
|
||||
protocol = "tcp"
|
||||
from_port = 10254
|
||||
to_port = 10254
|
||||
self = true
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "worker-bgp" {
|
||||
security_group_id = "${aws_security_group.worker.id}"
|
||||
|
||||
|
|
Loading…
Reference in New Issue