From af5c413abff13ab84e72c922f5574b02024b5f68 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sun, 5 Nov 2017 22:51:29 -0800 Subject: [PATCH] Focus controller ELB on load balancing apiservers * ELB distributing load across controllers is no longer the mechanism used to SSH to instances to distribute secrets * Focus the ELB on load balancing across apiserver and edit the HTTP health check to an SSL:443 check --- aws/container-linux/kubernetes/elb.tf | 14 +++++++------- aws/container-linux/kubernetes/ssh.tf | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/aws/container-linux/kubernetes/elb.tf b/aws/container-linux/kubernetes/elb.tf index 60f6d1a2..2a448a69 100644 --- a/aws/container-linux/kubernetes/elb.tf +++ b/aws/container-linux/kubernetes/elb.tf @@ -1,5 +1,5 @@ -# Controller Network Load Balancer DNS Record -resource "aws_route53_record" "controllers" { +# kube-apiserver Network Load Balancer DNS Record +resource "aws_route53_record" "apiserver" { zone_id = "${var.dns_zone_id}" name = "${format("%s.%s.", var.cluster_name, var.dns_zone)}" @@ -7,15 +7,15 @@ resource "aws_route53_record" "controllers" { # AWS recommends their special "alias" records for ELBs alias { - name = "${aws_elb.controllers.dns_name}" - zone_id = "${aws_elb.controllers.zone_id}" + name = "${aws_elb.apiserver.dns_name}" + zone_id = "${aws_elb.apiserver.zone_id}" evaluate_target_health = true } } # Controller Network Load Balancer -resource "aws_elb" "controllers" { - name = "${var.cluster_name}-controllers" +resource "aws_elb" "apiserver" { + name = "${var.cluster_name}-apiserver" subnets = ["${aws_subnet.public.*.id}"] security_groups = ["${aws_security_group.controller.id}"] @@ -30,7 +30,7 @@ resource "aws_elb" "controllers" { # Kubelet HTTP health check health_check { - target = "HTTP:10255/healthz" + target = "SSL:443" healthy_threshold = 2 unhealthy_threshold = 4 timeout = 5 diff --git a/aws/container-linux/kubernetes/ssh.tf b/aws/container-linux/kubernetes/ssh.tf index 3630b661..4b58c297 100644 --- a/aws/container-linux/kubernetes/ssh.tf +++ b/aws/container-linux/kubernetes/ssh.tf @@ -69,7 +69,7 @@ resource "null_resource" "copy-secrets" { # Secure copy bootkube assets to ONE controller and start bootkube to perform # one-time self-hosted cluster bootstrapping. resource "null_resource" "bootkube-start" { - depends_on = ["module.bootkube", "null_resource.copy-secrets", "aws_route53_record.controllers"] + depends_on = ["module.bootkube", "null_resource.copy-secrets", "aws_route53_record.apiserver"] connection { type = "ssh"