Switch apiserver from ELB to a network load balancer
This commit is contained in:
parent
86420fd507
commit
ceb5555222
|
@ -0,0 +1,67 @@
|
||||||
|
# kube-apiserver Network Load Balancer DNS Record
|
||||||
|
resource "aws_route53_record" "apiserver" {
|
||||||
|
zone_id = "${var.dns_zone_id}"
|
||||||
|
|
||||||
|
name = "${format("%s.%s.", var.cluster_name, var.dns_zone)}"
|
||||||
|
type = "A"
|
||||||
|
|
||||||
|
# AWS recommends their special "alias" records for ELBs
|
||||||
|
alias {
|
||||||
|
name = "${aws_lb.apiserver.dns_name}"
|
||||||
|
zone_id = "${aws_lb.apiserver.zone_id}"
|
||||||
|
evaluate_target_health = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Network Load Balancer for apiservers
|
||||||
|
resource "aws_lb" "apiserver" {
|
||||||
|
name = "${var.cluster_name}-apiserver"
|
||||||
|
load_balancer_type = "network"
|
||||||
|
internal = false
|
||||||
|
|
||||||
|
subnets = ["${aws_subnet.public.*.id}"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Forward HTTP traffic to controllers
|
||||||
|
resource "aws_lb_listener" "apiserver-https" {
|
||||||
|
load_balancer_arn = "${aws_lb.apiserver.arn}"
|
||||||
|
protocol = "TCP"
|
||||||
|
port = "443"
|
||||||
|
|
||||||
|
default_action {
|
||||||
|
type = "forward"
|
||||||
|
target_group_arn = "${aws_lb_target_group.controllers.arn}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Target group of controllers
|
||||||
|
resource "aws_lb_target_group" "controllers" {
|
||||||
|
name = "${var.cluster_name}-controllers"
|
||||||
|
vpc_id = "${aws_vpc.network.id}"
|
||||||
|
target_type = "instance"
|
||||||
|
|
||||||
|
protocol = "TCP"
|
||||||
|
port = 443
|
||||||
|
|
||||||
|
# Kubelet HTTP health check
|
||||||
|
health_check {
|
||||||
|
protocol = "TCP"
|
||||||
|
port = 443
|
||||||
|
|
||||||
|
# NLBs required to use same healthy and unhealthy thresholds
|
||||||
|
healthy_threshold = 3
|
||||||
|
unhealthy_threshold = 3
|
||||||
|
|
||||||
|
# Interval between health checks required to be 10 or 30
|
||||||
|
interval = 10
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Attach controller instances to apiserver NLB
|
||||||
|
resource "aws_lb_target_group_attachment" "controllers" {
|
||||||
|
count = "${var.controller_count}"
|
||||||
|
|
||||||
|
target_group_arn = "${aws_lb_target_group.controllers.arn}"
|
||||||
|
target_id = "${element(aws_instance.controllers.*.id, count.index)}"
|
||||||
|
port = 443
|
||||||
|
}
|
|
@ -1,43 +0,0 @@
|
||||||
# kube-apiserver Network Load Balancer DNS Record
|
|
||||||
resource "aws_route53_record" "apiserver" {
|
|
||||||
zone_id = "${var.dns_zone_id}"
|
|
||||||
|
|
||||||
name = "${format("%s.%s.", var.cluster_name, var.dns_zone)}"
|
|
||||||
type = "A"
|
|
||||||
|
|
||||||
# AWS recommends their special "alias" records for ELBs
|
|
||||||
alias {
|
|
||||||
name = "${aws_elb.apiserver.dns_name}"
|
|
||||||
zone_id = "${aws_elb.apiserver.zone_id}"
|
|
||||||
evaluate_target_health = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Controller Network Load Balancer
|
|
||||||
resource "aws_elb" "apiserver" {
|
|
||||||
name = "${var.cluster_name}-apiserver"
|
|
||||||
subnets = ["${aws_subnet.public.*.id}"]
|
|
||||||
security_groups = ["${aws_security_group.controller.id}"]
|
|
||||||
|
|
||||||
listener {
|
|
||||||
lb_port = 443
|
|
||||||
lb_protocol = "tcp"
|
|
||||||
instance_port = 443
|
|
||||||
instance_protocol = "tcp"
|
|
||||||
}
|
|
||||||
|
|
||||||
instances = ["${aws_instance.controllers.*.id}"]
|
|
||||||
|
|
||||||
# Kubelet HTTP health check
|
|
||||||
health_check {
|
|
||||||
target = "SSL:443"
|
|
||||||
healthy_threshold = 2
|
|
||||||
unhealthy_threshold = 4
|
|
||||||
timeout = 5
|
|
||||||
interval = 6
|
|
||||||
}
|
|
||||||
|
|
||||||
idle_timeout = 3600
|
|
||||||
connection_draining = true
|
|
||||||
connection_draining_timeout = 300
|
|
||||||
}
|
|
|
@ -7,7 +7,7 @@ resource "aws_lb" "ingress" {
|
||||||
subnets = ["${aws_subnet.public.*.id}"]
|
subnets = ["${aws_subnet.public.*.id}"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Forward HTTP traffic to instances
|
# Forward HTTP traffic to workers
|
||||||
resource "aws_lb_listener" "ingress-http" {
|
resource "aws_lb_listener" "ingress-http" {
|
||||||
load_balancer_arn = "${aws_lb.ingress.arn}"
|
load_balancer_arn = "${aws_lb.ingress.arn}"
|
||||||
protocol = "TCP"
|
protocol = "TCP"
|
||||||
|
@ -19,7 +19,7 @@ resource "aws_lb_listener" "ingress-http" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Forward HTTPS traffic to instances
|
# Forward HTTPS traffic to workers
|
||||||
resource "aws_lb_listener" "ingress-https" {
|
resource "aws_lb_listener" "ingress-https" {
|
||||||
load_balancer_arn = "${aws_lb.ingress.arn}"
|
load_balancer_arn = "${aws_lb.ingress.arn}"
|
||||||
protocol = "TCP"
|
protocol = "TCP"
|
||||||
|
|
Loading…
Reference in New Issue